>> iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,NEW -j >> ACCEPT >> iptables -A OUTPUT -p tcp --dport 21 -m state --state >> NEW,ESTABLISHED,RELATED -j ACCEPT If using passive ftp, the host you are connecting to does not necessarily send from port 21. >Hmm, many people, including myself, think, that filtering in OUTPUT is >pointless. More troublesome than usefull. If you decide to set OUTPUT >policy to ACCEPT, you don't need the first two rules. Up to you. Not at all. Because certains things can not happen in certain environments, e.g. I read/write mail by logging into a mail server via SSH / no sendmail running, I can exclude certain things. In netfilter parlance: -P OUTPUT ACCEPT (same for FORWARD, btw) -A OUTPUT -j REJECT -p tcp --dport 25 This stops users that also have access to my machine to not spam smtp servers, should they find an open one. Jan Engelhardt --
