Hi out there, thanks for your replies. @Ray I already stumbled over http://slacksite.com/other/ftp.html and built my ruleset accordingly. As far as I understand you should be able to cater just for passive ftp. @Arnd-Hendrik I am not opening the high ports on the ftp server box. The (passive) ftp client sends the first request from a highport to port 21 on the server box. Have a look at the diagrams at slacksite. Which helper module do you refer to? @Martijn Your hint pointing to ip_conntrack_ftp lead to the solution. lsmod showed me that the module had not been loaded. After loading my ruleset worked and the clients could ftp properly. Rebooting the bridge box left me again with an unloaded ip_conntrack_ftp. So I made an entry in /etc/modules which caters for the module to be loaded on (re)boot. Strange thing that, because other modules related to iptables are being loaded automatically, although they are not compiled into the kernel too. Are there other "surprise"-modules that have to be loaded via /etc/modules? cu Jo _______________________________________________________________ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192
