Well autoloading ip_nat_ftp, also loads ip_conntrack_ftp (since ip_nat_ftp requires it) which means the ftp connection tracker helper is loaded which means ftp data connections will be considered RELATED connections by the netfilter stateful firewall. Assuming you have a normal iptables setup of allowing RELATED and ESTABLISHED connections then it will 'just work'. What will happen is the normal control connection to the FTP port will be allowed in by a normal -A INPUT -p tcp --dport ftp -m state --state NEW -j ACCEPT rule, and the resulting passive/active data connections will be let in automagically by being RELATED (as determined by the ip_conntrack_ftp kernel module) to the already ACCEPTED ftp control connection, and thus the -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT rule will let the connection through. Please note, that you only need ip_nat_ftp if you're doing NAT, if not then you can replace ip_nat_ftp with ip_conntrack_ftp in my suggestion (which will save the kernel from having to load all NAT related netfilter stuff). Please also note that allowing RELATED connections in through a firewall isn't quite perfectly secure but is (still) the standard way of doing things (without it is a good deal more trouble and IMHO usually not really quire worth the effort). vsftpd should allow passive connections by default and port numbers are no longer important (the RELATED magic should take care of it). Assuming your vsftpd server is already working that should be it... Cheers, MaZe. On Thu, 29 Dec 2005, Andrew Rice wrote: > what will that enable? > high ports through the firewall for the ftp user? > > Andrew > > > | Try adding ip_nat_ftp to the list of autoloaded modules > | > | # cat /etc/sysconfig/iptables-config | grep ip_nat_ftp > | IPTABLES_MODULES="ip_nat_ftp" > | > | And restarting the firewall > | # /etc/init.d/iptables condrestart > | > | Cheers, > | MaZe. > | > | On Thu, 29 Dec 2005, Andrew Rice wrote: > | > | >Hey there, > | > > | >Would anyone care to help me out on where to go for configuring vsftpd for > | >passive ftp transfer? > | >im pretty sure that I will have to enable a rule in the firewall..am I > | >right? > | > > | > > | > > | _______________________________________________ > | CentOS mailing list > | CentOS@xxxxxxxxxx > | http://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos >