On Friday 18 October 2002 08:21, Francois Dessart wrote: > Thanks for this explanation. > > > Passive FTP does not use tcp/20 at all. Instead of the server > > connecting > > > to the client, the client connects to the server for data transfers. > > The > > > server chooses an arbitrary port for the client to connect to. The > > intent > > > of passive FTP was to work around firewalls that don't permit inbound > > connections. > > So with passive FTP, both ports (source and dest) are dynamic. Correct? > > How to match this data tranfer with iptables? There is a -m helper option so you can load additional modules. There is a module that matches ftp packets (both data and control), but I don't know the syntax. A google search on "iptables -m helper ftp" will help http://www.netfilter.org/documentation/pomlist/pom-oldnat.html#helper : If you want to match all packets belonging to ftp-sessions: (both ftp-command and ftp-data connections) iptables -A INPUT -m helper --helper ftp -j ACCEPT Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
