Eucke Warren wrote:
I noticed that no one suggested setting the pasv_min_port and pasv_max_port
in the /etc/vsftpd/vsftpd.conf and then opening the corresponding ports in
iptables. Any particular reason why? I am not what I would consider
proficient enough with vsftp to know whether either of the previous two
answers addressed the whole issue of PASV mode.
-Eucke
The use of the iptables module for ftp connection tracking in
conjunction with iptables rules to allow packets of state
established,related and from anywhere to tcp port 21 dynamically enables
packets for a data connection that is specified between the server and
client by directives on the ftp control connection. In other words it
will intelligently allow data connections that the control connection
specifies. This is better than blindly opening specific or a range of
ports that you constrain your ftp server to use, in that it only allows
the necessary client address to access its data connection, not other
clients attempting to do so.
Chris
--
-----------------------------------------------------------
"Spend less! Do more! Go Open Source..." -- Dirigo.net
Chris Johnson, RHCE #807000448202021
