On Tue, 22 Jun 2010, ratheesh k wrote: > On Tue, Jun 22, 2010 at 5:21 PM, Jozsef Kadlecsik > <kadlec@xxxxxxxxxxxxxxxxx> wrote: > >> 1. ALG will allow wan to lan calls ? No need for specific iptables > >> forwarding rule if alg is needed ? > > > > Yes. That's the point for a helper. > > I thought , ALG will install related connection tuple , if a > connection is thru . > what i meant is : suppose a ftp connection ( active ) is tried to > make from lan-to-wan side ( it will go thru as per iptables ) . No, active/passive FTP connections are not "tried". The corresponding FTP command is issued in the command channel and that is interpreted by the FTP helper. Which then add a connection expectation to conntrack - and which you allow through by the "-m state --state RELATED -j ACCEPT" rule. The same happens with H.323. > Since here the pkt is from wan-to-lan and is blocked by > iptables . How ALG got triggered without any pkt flow ? You allow clients on the LAN to connect outside and enable bidirectional connections. After that any side of the connection can issue correct H.323 protocol commands and trigger expectations in any direction. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
