Re: passive mode ftp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le ven 23/05/2003 à 10:56, Eric Constantineau a écrit :
> I want to be able to use passive ftp under my firewall...

Use Netfilter conntrack functionnalities :

# modprobe ip_conntrack_ftp

[...]
> Is there a specific range of ports that all passive ftp use ?

Using FTP conntrack helper, you can spot data connections with RELATED
state. A setup setup could be :

	iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
		-j ACCEPT
	iptables -A FORWARD -m state --state NEW -p tcp -s $LAN \
		--dport 21 -o $EXTIF -j ACCEPT

Once a FTP connection is up, further packets are handled by ESTABLISHED
state rule, and connection data initiating is handled by RELATED state.

If you're using NAT, then you will need to modprobe ip_nat_ftp module.

-- 
Cédric Blancher  <blancher@xxxxxxxxxxxxxxxxxx>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux