On Mon, 2005-02-07 at 17:45 -0700, Ashley M. Kirchner wrote: > Paul Howarth wrote: > > > Change 127.0.0.1 to your LAN IP address if you want it to accept > > connections from your LAN only. You could connect to your own computer > > this way but you'd have to use the LAN address rather than "localhost" > > when connecting. > > > > If you want to allow connections from localhost *and* your LAN then it > > gets a bit more complicated, e.g. using iptables to restrict incoming > > connections, or running 2 vsftpd instances, one listening on the > > localhost address and one on your LAN IP address. > > Well, let's see here. It is a public server which answers to www > calls (it has a public IP as well.) One of the sites connects locally > to an FTP applet for file uploads (which basically opens a connection to > the local vsftpd daemon.) So, setting it to listen to localhost would > work ... however, there will be other machines on our network (not > necessarily on the same LAN) that will connect to this server. We have > three subnets on our (public) network so I need to be able to cross from > one subnet, through our router, back into the other subnet and to vsftpd > running on this machine. > > So, as far as the www site is concerned, yes i can set it to listen > to localhost, however that will prevent any of our other machines to > connect to it. And setting it to its LAN ip will prevent machines on > the other subnets from reaching it. At least, I think it will. I'm > stuck I think. > > --A > > man vsftp.conf, man vsftp, and iptables should make it very possible. with iptables you can prevent any ip address except the ones authorized from connecting to a specific port. Answering to public IP calls _usually_ implies that the machine has a routeable public IP. If so, then you are not dealing with NAT (at least in some respects) and that simplifies it.
