I would say it is better to have high ports open on demand (after AUTH TLS) than have them open all the time. NFTables are now useless to me, as their FTP/TLS passive mode is not supported neither by helper or by "recent" extension. 2015-05-17 22:59 GMT+02:00 Pascal Hambourg <pascal@xxxxxxxxxxxxxxx>: > Tomek L a écrit : >> I agree on source port issue, but I don't think that in case of TLS >> there is nothing that can be done with FTP helper. Still we can assume >> that just after TLS AUTH negotiation, client will connect on high port >> with new connection to server. Now we are in situation, where if TLS >> is used, high ports on server side must be open all the time. > > IMO, it is not much better to open all passive ports to any host which > has established a connection to port 21 regardless of whether a > PASV/EPSV command was acknowledged by the server. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
