[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ip_masq_ftp

On Sat, Nov 24, 2001 at 11:44:48AM +1100, Iain wrote:
> $IPCHAINS -A input -j ACCEPT -i $i -d $IPOFIF/32 -p tcp ! --syn
> Now this works fine for masquerading except for outgoing FTP. Passive FTP 
> works fine but normal FTP doesn't.
> Now I thought that this is what the ip_masq_ftp modules is for. And this 
> module works if I'm not blocking all incoming SYN packets. 

You need to allow the Masquerade Port Range to open incomming connections.
Actually you can specify a port range for it. This is because the Input
chain is consulted before the established check can apply. This is better
solved in ipchains.

Anyway, I do not recommend to allow active FTP inside anyway.

> So I guess my question is, does ip_masq_ftp use a discrete range of ports for 
> FTP connections or does it use everything between 1024-65535?

I dont have the 2.2 code here, but in 2.4 it is 61000 - 65095 (hardwired in
the module).


Reply to: