IPTables for FTP
Christopher K. Johnson
ckjohnson at gwi.net
Wed Nov 3 00:30:16 UTC 2004
Eucke Warren wrote:
>I noticed that no one suggested setting the pasv_min_port and pasv_max_port
>in the /etc/vsftpd/vsftpd.conf and then opening the corresponding ports in
>iptables. Any particular reason why? I am not what I would consider
>proficient enough with vsftp to know whether either of the previous two
>answers addressed the whole issue of PASV mode.
>
>-Eucke
>
>
The use of the iptables module for ftp connection tracking in
conjunction with iptables rules to allow packets of state
established,related and from anywhere to tcp port 21 dynamically enables
packets for a data connection that is specified between the server and
client by directives on the ftp control connection. In other words it
will intelligently allow data connections that the control connection
specifies. This is better than blindly opening specific or a range of
ports that you constrain your ftp server to use, in that it only allows
the necessary client address to access its data connection, not other
clients attempting to do so.
Chris
--
-----------------------------------------------------------
"Spend less! Do more! Go Open Source..." -- Dirigo.net
Chris Johnson, RHCE #807000448202021
More information about the users
mailing list