--- Gerald Combs wrote:
Correct me if I'm wrong, but the simple firewall rules posted earlier would effectively break ftp. Wouldn't the unpriviledged ports also be blocked? Wouldn't you need to specifically allow the unpriviledged ports for either active or passive ftp? Wouldn't you need to allow outbound ports also? I don't remember all the rules posted, but I would think that the default rule would be to drop inbound and outbound unused ports.
Brian D.
__________________________________ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs
Jack wrote:
AFAIK, the firewall rules that Chris posted premit all outbound traffic. Assuming that you're firewalling the client and not the server, this would allow passive FTP connections since they originate from the client. To allow active connections in from the server to the client you'd have to enable some sort of connection traffic.
The default policy for the Output chain is usually ACCEPT, so there is no need to open outbound ports specifically. The ACCEPT statement on the ESTABLISHED,RELATED line will allow connections to the unprivileged ports since they are related to the connection on port 21. I believe ip_conntrack_ftp helps with this.
Brad
-
Brad -
Gerald Combs -
Jack