Re: allowing passive FTP from the outside

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am So, den 03.04.2005 schrieb Justin Zygmont um 6:42:

> >> are you sure ftp_conntrack is even needed?  I thought that's
> >> usually used just for stateful routing through a server, and
> >> not to connect to one from the outside.
> >
> > No, that's a different module: ip_nat_ftp. The ip_conntrack_ftp
> > module is required for the ESTABLISHED,RELATED rule to work for
> > incoming FTP connections.
> 
> I don't see how that can be, because when I stop iptables it also unloads 
> ftp_conntrack, and even ip_conntrack.  I can get a ftp listing with 
> iptables is off and those modules unloaded.  here's what I have 
> loaded, and it works until I restart iptables.

Please see http://slacksite.com/other/ftp.html to understand how it
works.
If you stop iptables then of course no packet filter interferes with
traffic and the ports are all open. When iptables is active and only
port 21 is explicitly opened for state NEW connections the netfilter
needs a helper module to recognize a connection to the passive high port
to be a result from an established,related FTP connection on port 21.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.771_FC2smp 
Serendipity 17:04:49 up 4 days, 14:31, load average: 0.79, 0.66, 0.53 

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux