RE: Allow active and passive FTP connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Is it necessary to build ip_conntrack_ftp as a module?
If you want to do ports other than 21 on 2.4, yes, on 2.6, no, you can
use the append="" option in LILO.

-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Sagara
Wijetunga
Sent: Thursday, June 17, 2004 11:13 AM
To: netfilter
Subject: Re: Allow active and passive FTP connections

--- Antony Stone <Antony@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Thursday 17 June 2004 1:13 pm, Piszcz, Justin
> Michael wrote:
> 
> > I think he meant, modprobe ip_conntrack_ftp and if
> you are behind nat
> > there is a module for that as well.
> 
> insmod should do the job perfectly well.
> 
> NAT is very unlikely when the rules are running on
> the FTP server itself 
> (they're in the INPUT & OUTPUT chains).
> 
Thanks very much for everybody's comments on this. 

In my Linux kernel, the "FTP protocol support" under
"IP: Netfilter Configuration" is build into the
kernel. Therefore, there is no ip_conntrack_ftp module
to load.

I use Linux kernel 2.6.5, I don't use NAT and I use
iptables v1.2.10.

I noticed "IP: kernel level autoconfiguration" was not
set. I just build that also in to the kernel,
recompiled, reinstalled the Linux kernel, rebuild all
modules and rebooted the server and retried the FTP
connection. But my problem is still the same. 

For active FTP connections it drops the following
packet:
Jun 17 22:51:04 svr1 kernel: OUTPUT PKT DROPPED: IN=
OUT=eth0 SRC=[server IP addr] DST=[client IP addr]
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33736 DF PROTO=TCP
SPT=20 DPT=32914 WINDOW=5840 RES=0x00 SYN URGP=0

For passive FTP connections it drops the following
packet:
Jun 17 22:54:12 svr1 kernel: INPUT PKT DROPPED:
IN=eth0 OUT=
MAC=00:e0:29:34:b3:58:00:e0:29:34:bb:36:08:00
SRC=[client IP addr] DST=[server IP addr] LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=40886 DF PROTO=TCP
SPT=32916 DPT=32769 WINDOW=5840 RES=0x00 SYN URGP=0

Is it necessary to build ip_conntrack_ftp as a module?


Sagara


	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux