On Thursday 17 June 2004 4:13 pm, Sagara Wijetunga wrote:
> Thanks very much for everybody's comments on this.
>
> In my Linux kernel, the ?FTP protocol support? under
> ?IP: Netfilter Configuration? is build into the
> kernel. Therefore, there is no ip_conntrack_ftp module
> to load.
>
> I use Linux kernel 2.6.5, I don't use NAT and I use
> iptables v1.2.10.
>
>
> Is it necessary to build ip_conntrack_ftp as a module?
Certainly not. I always build firewall kernels as monolithic (everything I
need compiled-in, no module support, so nothing can be loaded or unloaded
afterwards).
There must be some reason why the conntrack table isn't recognising the
reverse connection (I assume you *do* have connection tracking support
compiled in as well? I can't recall if you have to have this before you
even see the FTP question when building the kernel...)
What do you see in /proc/net/ip_conntrack when the connection is half-open
(ie: about the same time as the log entry you posted appears)?
This seems strange.
Regards,
Antony.
--
There are only 10 types of people in the world:
those who understand binary notation,
and those who don't.
Please reply to the list;
please don't CC me.
