Hello,
After client connection initiation, the helper should temporarily
allow for new TCP connection from client, with source port set to
source port used for first connection + 1, and destination port >1024.
Below is the snapshot from log. But this should be handled by FTP
helper no matter if its TLS or plain session. Start of TLS negotiation
is plaintext ("TLS AUTH....") - so I think it could be handled by
helper safely (so we are sure before opening high ports, we are really
in FTP session).
2015-05-17 07:40:36 Golem ulogd ACTION=Accept STATE=New RULE='FTP
incoming' IN=eno1 OUT= MAC=00:1e:67:ab:1f:49:b0:c6:9a:e3:27:c2:08:00
SRC=x.x.x.215 DST=212.x.x.242 LEN=64 TOS=00 PREC=0x00 TTL=58 ID=64588
DF PROTO=TCP SPT=49458 DPT=21 SEQ=1085504279 ACK=0 WINDOW=65535 SYN
URGP=0 MARK=0
2015-05-17 07:40:36 Golem ulogd ACTION=Drop RULE='Default drop'
IN=eno1 OUT= MAC=00:1e:67:ab:1f:49:b0:c6:9a:e3:27:c2:08:00
SRC=x.x.x.215 DST=212.x.x.242 LEN=64 TOS=00 PREC=0x00 TTL=58 ID=50205
DF PROTO=TCP SPT=49459 DPT=47244 SEQ=3549983851 ACK=0 WINDOW=65535 SYN
URGP=0 MARK=0
2015-05-16 17:36 GMT+02:00 Bjørnar Ness <bjornar.ness@xxxxxxxxx>:
> What port should it open, then?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
