Am Mi, den 12.01.2005 schrieb Charles R. Anderson um 17:03: > Passive FTP listens on random local ephemeral ports for data > connections set up by the 21/tcp control stream. If you are not using > a stateful firewall with a FTP helper, then you need to allow incoming > TCP connections to whatever range your FTP server uses for passive FTP > (defaults to the entire local port range). This is why I have always > set up my FTP server similar to this (older box using ipchains): > > /etc/sysctl.conf: > net.ipv4.ip_local_port_range = 60000 65535 > > /etc/vsftpd.conf: > pasv_min_port=59000 > pasv_max_port=59999 > > /etc/sysconfig/ipchains: > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -p 6 -j ACCEPT > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 0:58999 -p 6 -l -j DENY > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 59000:59999 -p 6 -j ACCEPT > -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 60000:65535 -p 6 -y -l -j DENY It is much better to use ip_conntrack_ftp iptables helper module and the stateful capabilities of iptables (ESTABLISHED,RELATED) rather than to "blindly" open a range of high ports. Why using ipchains, which is not stateful, when having iptables? Easily be done with the default Fedora Core iptables rules by adding ip_conntrack_ftp into IPTABLES_MODULES="" in /etc/sysconfig/iptables-config. Alexander -- Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.10-1.8_FC2smp Serendipity 00:55:04 up 1 day, 23:05, load average: 0.98, 0.85, 0.71
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil