On Thu, Jan 13, 2005 at 08:42:05AM +0900, Aaron.Sterr wrote: > On Wed, 12 Jan 2005, Charles R. Anderson wrote: > > > Passive FTP listens on random local ephemeral ports for data > > connections set up by the 21/tcp control stream. If you are not using > > a stateful firewall with a FTP helper, then you need to allow incoming > > TCP connections to whatever range your FTP server uses for passive FTP > > (defaults to the entire local port range). This is why I have always > > set up my FTP server similar to this (older box using ipchains): > > > > Passive FTP does NOT use the local ephemeral ports, that is traditional > FTP behavior. Passive FTP uses the existing TCP connection for both > the control and data channels, and is easier to firewall. No. Charles is correct. If proof needed, use tcpdump. Regards, Luciano Rocha -- 1/16