[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

On 13/09/2004 Mike Mestnik wrote:
> This is the old way of doing things, "OUTPUT -p tcp --sport <L-1> -m state
> --state NEW" should work fine.

quoting you, this is what i need to do for every ftp source port for
active ftp.

> This will requier you to accept any connection to the
> ip_local_port_range(/proc/sys/net/ipv4/ip_local_port_range 32768 to 61000)
> with "INPUT -p tcp --dport 32768:61000 -m state --state NEW".  You can
> write to as well as read this file, if you only wish to open lets say
> 32768 32800.

quoting you, this is what i need to do for passive ftp.

what i don't understand is, why do the ports for passive ftp only need
to be opened for input data, and the active ftp ports only for output
data? source port is only for sending code, so this one can deny incomming
connections, but isn't that the same for passive ftp ports?

also, aren't the ports for passive ftp different with different ftp
servers? do i have to check proftpd for it's individual passive ftp
ports, or are the ones in /proc/sys/net/ipv4/ip_local_port_range always
common?

bye
 jonas
Reply to: