Re: allowing passive FTP from the outside

From: Alexander Dalloz (ad+lists_at_uni-x.org)
Date: 04/03/05

  • Next message: David Hoffman: "Re: Re: Anoying Peter Whalley Spam messages." 
    To: For users of Fedora Core releases <fedora-list@redhat.com>
Date: Sun, 03 Apr 2005 17:07:56 +0200

    Am So, den 03.04.2005 schrieb Justin Zygmont um 6:42:

    > >> are you sure ftp_conntrack is even needed? I thought that's
    > >> usually used just for stateful routing through a server, and
    > >> not to connect to one from the outside.
    > >
    > > No, that's a different module: ip_nat_ftp. The ip_conntrack_ftp
    > > module is required for the ESTABLISHED,RELATED rule to work for
    > > incoming FTP connections.
    >
    > I don't see how that can be, because when I stop iptables it also unloads
    > ftp_conntrack, and even ip_conntrack. I can get a ftp listing with
    > iptables is off and those modules unloaded. here's what I have
    > loaded, and it works until I restart iptables.

    Please see http://slacksite.com/other/ftp.html to understand how it
    works.
    If you stop iptables then of course no packet filter interferes with
    traffic and the ports are all open. When iptables is active and only
    port 21 is explicitly opened for state NEW connections the netfilter
    needs a helper module to recognize a connection to the passive high port
    to be a result from an established,related FTP connection on port 21.

    Alexander 

    -- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.771_FC2smp 
Serendipity 17:04:49 up 4 days, 14:31, load average: 0.79, 0.66, 0.53 



    


    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: David Hoffman: "Re: Re: Anoying Peter Whalley Spam messages."

    Relevant Pages

    • redirecting ftp in FC4
      ... Using iptables, how can I get ftp connections to be forwarded/redirected from the 'public' IP address to an internal 'private' address? ... but that didn't seem to do anything, as the ftp to publicadres did not get redirected. ...
      (comp.os.linux)
    • RE: redhat-list Digest, Vol 4, Issue 38
      ... Re: Iptables: port 22 open only for my IP ... Windows Services for Unix 3.5 ... It does absolutely nothing if you have a rampant application on your Windows box that opens a port to the outside world. ...
      (RedHat)
    • Firewall Rules Summary
      ... Subject: Firewall Rules Summary ... This script is provided "as is" with no implied warranty. ... this came from various howtos and articles on iptables that existed around ... #specific port denies>1024 tcp ...
      (Focus-Linux)
    • Re: Linux IPTables tutorial pdfs and plain text available.
      ... What you are referring to here are CHAINS. ... create as a user-defined chain in my iptables scripts to reject traffic ... need to allow port 20/tcp only if you're using active FTP. ... This is actually not a bash script, ...
      (comp.security.firewalls)
    • Re: Mitigating SYN flooding with Netfilter or net.ipv4.tcp_syncookies ?
      ... The only chink, if you will, is the protection ... a port scan, ... The soloution to is to use some of the 'experimental' patches to iptables, ... If you do rate limiting after this rule you will have much fewer syns to ...
      (Focus-Linux)