Helper doesn't have to look into encrypted payload. It would be enough if helper assumes that in the next ~3 seconds, netfilter can expect incoming connection from client on high port, from source port +1 higher than original source port used when initiating connection. Sorry but opening high port range just to handle ftp connection is weak advice... In IPTables it could be done with --recent extension. 2015-05-16 14:12 GMT+02:00 Bjørnar Ness <bjornar.ness@xxxxxxxxx>: > It is not possible for helper to look inside encrypted packets. Only option > is to open a portrange. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
