Ernesto Silva a écrit :
I wrote the "RELATED" specification because I thought port 20 and the
rest of the connections (in passive and active mode) may be handled by
ip_conntrack_ftp and ip_nat_ftp in an "automagically" way.
This is what happens, at least partly :
- ip_conntrack_ftp, by monitoring the FTP control connections,
identifies the first packet of an FTP data connection as RELATED ;
- ip_nat_ftp, with the help of ip_conntrack_ftp, does the necessary NAT
on FTP data connections.
But you still have the job of writing rules to decide their fate,
whether they must be accepted or dropped.
Anyway, I used your suggestion (which I already knew)
Ok, sorry for doubting.
