Le ven 23/05/2003 à 10:56, Eric Constantineau a écrit : > I want to be able to use passive ftp under my firewall... Use Netfilter conntrack functionnalities : # modprobe ip_conntrack_ftp [...] > Is there a specific range of ports that all passive ftp use ? Using FTP conntrack helper, you can spot data connections with RELATED state. A setup setup could be : iptables -A FORWARD -m state --state ESTABLISHED,RELATED \ -j ACCEPT iptables -A FORWARD -m state --state NEW -p tcp -s $LAN \ --dport 21 -o $EXTIF -j ACCEPT Once a FTP connection is up, further packets are handled by ESTABLISHED state rule, and connection data initiating is handled by RELATED state. If you're using NAT, then you will need to modprobe ip_nat_ftp module. -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> IT systems and networks security - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
