allowing passive FTP from the outside

Alexander Dalloz ad+lists at uni-x.org
Sun Apr 3 15:07:56 UTC 2005


Am So, den 03.04.2005 schrieb Justin Zygmont um 6:42:

> >> are you sure ftp_conntrack is even needed?  I thought that's
> >> usually used just for stateful routing through a server, and
> >> not to connect to one from the outside.
> >
> > No, that's a different module: ip_nat_ftp. The ip_conntrack_ftp
> > module is required for the ESTABLISHED,RELATED rule to work for
> > incoming FTP connections.
> 
> I don't see how that can be, because when I stop iptables it also unloads 
> ftp_conntrack, and even ip_conntrack.  I can get a ftp listing with 
> iptables is off and those modules unloaded.  here's what I have 
> loaded, and it works until I restart iptables.

Please see http://slacksite.com/other/ftp.html to understand how it
works.
If you stop iptables then of course no packet filter interferes with
traffic and the ports are all open. When iptables is active and only
port 21 is explicitly opened for state NEW connections the netfilter
needs a helper module to recognize a connection to the passive high port
to be a result from an established,related FTP connection on port 21.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.771_FC2smp 
Serendipity 17:04:49 up 4 days, 14:31, load average: 0.79, 0.66, 0.53 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20050403/2d38426d/attachment-0002.bin 


More information about the users mailing list