Klaus Ethgen a écrit : > > Am Sa den 19. Feb 2011 um 18:42 schrieb Pascal Hambourg: > >> Connections on port 21 are control connections. Port 21 is used neither >> for active nor passive data connections. > > Hmm.. Yes. you are right. Nevertheless that port is only looked about as > src and not as dst. If you were right then active mode would not work, as PORT commands are sent to the destination port 21. > But on a server the dst is port 21. On a server the port 21 is the destination port for incoming packets and the source port for outgoing packets. >>> As I read the code there seems no way to find a PORT command in outgoing >>> connections. But that has to be detected when DNAT is used. >> What do you mean by "outgoing connections" ? > > Well, a bit confusing, I admit. Sorry to say, but all your explanations are confusing. > On a client system I have SNAT so on INPUT on the external interface I > see port 21. Are you using SNAT directly on the client ? Why ? What does SNAT have to do with INPUT ? What is the exact rule ? > On a server I have DNAT so on OUTPUT I see the (destination) port > 21. But exactly that do not trigger the helper. Are you using DNAT directly on the server ? Why ? What does DNAT have to do with OUTPUT ? What is the exact rule ? > And exact that is what I find by tests. If I do an active connection the > client is sending PORT to the server and the connection works well. But > if I try to use passive the server sends the PORT command and the > conntrack helper do never recognize the traffic as ftp related. Huh ? The server sends a PORT command ? This is not possible. A server does not send commands. It only replies to commands received from the client. -- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
