Am So, den 03.04.2005 schrieb Justin Zygmont um 6:42: > >> are you sure ftp_conntrack is even needed? I thought that's > >> usually used just for stateful routing through a server, and > >> not to connect to one from the outside. > > > > No, that's a different module: ip_nat_ftp. The ip_conntrack_ftp > > module is required for the ESTABLISHED,RELATED rule to work for > > incoming FTP connections. > > I don't see how that can be, because when I stop iptables it also unloads > ftp_conntrack, and even ip_conntrack. I can get a ftp listing with > iptables is off and those modules unloaded. here's what I have > loaded, and it works until I restart iptables. Please see http://slacksite.com/other/ftp.html to understand how it works. If you stop iptables then of course no packet filter interferes with traffic and the ports are all open. When iptables is active and only port 21 is explicitly opened for state NEW connections the netfilter needs a helper module to recognize a connection to the passive high port to be a result from an established,related FTP connection on port 21. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.771_FC2smp Serendipity 17:04:49 up 4 days, 14:31, load average: 0.79, 0.66, 0.53
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
