On Mon, 2004-11-29 at 13:19, Ashutosh wrote: > > no--but you need to write scripts like this: > > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT allows packets that match connections in the conntrack table > > iptables -A FORWARD -p tcp --syn --dport 21 -j ACCEPT allows FTP connections outbound > Well, I thought the Connection Tracking and NAT Modules *for* FTP did > the same.. Correct me if I am wrong.. connection tracking does not write filter rules for you. > After all, why are the ALGs neccessary, if *user space* iptables rules > are still required ? i don't understand this question. what "ALGs" are you speaking of? iptables rules are necessary to allow/deny traffic; as that's how you get firewalls to do what you want (ideally). -j -- "I'm better than dirt. Well, most kinds of dirt... not that fancy store-bought dirt... that stuff's loaded with nutrients, I... I can't compete with that stuff." --The Simpsons
