vsftp and firewall
Christopher K. Johnson
ckjohnson at gwi.net
Wed Apr 7 20:23:20 UTC 2004
duncan brown wrote:
>send us the output of the following command (ran as root)
>
>iptables -L -n
>
>also, remember that your ftp client is probably using PASSIVE transfers, which means you'll need a range of high level ports to be open, not just 21. i bet if you use the text mode ftp program on windows your transfers will work like a champ. (start -> run -> ftp)
>
>
No don't open up high ports. Just include a rule to accept not only
packets for established connections, but also related ones like so:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
The related entries get added to the connection table by the
ip_conntrack_ftp module based on what ports are referenced on an ftp
control connection to be used for a data connection.
And the best way to ensure the ip_conntrack_ftp module is loaded is by
editing the line in /etc/sysconfig/iptables-config like so:
IPTABLES_MODULES="ip_conntrack_ftp"
--
-----------------------------------------------------------
"Spend less! Do more! Go Open Source..." -- Dirigo.net
Chris Johnson, RHCE #807000448202021
More information about the users
mailing list