On Thursday 22 January 2009 17:28, Agile Aspect wrote:
> Regarding item (2), I would guess I would have to add the following
> entries:
>
> Active:
> ---------
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20
> --sport 40000:60000 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 20 --dport 40000:60000 -j ACCEPT
All FTP connecting begin with port 21. Port 20 is a DATA connection.
ip_conntrack_ftp will track connection needing the Data port open.
> Passive:
> ----------
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
> 40000:60000 --sport 40000:60000 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --sport 40000:60000 --dport 40000:60000 -j ACCEPT
Do you have a rule like this:
-A OUTPUT --m state --state RELATED,ESTABLISHED -j ACCEPT
If not you should place this in your rules. This rule eleminates the need to
continuesly add rules to allow out going connection for allowed incoming
connection.
If you do then you should not need the OUTPUT rules you listed above.
--
Regards
Robert
Linux User #296285
http://counter.li.org
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
