Re: ip_masq_ftp

To: Bernd Eckenfels <lists@lina.inka.de>
Cc: debian-firewall@lists.debian.org
Subject: Re: ip_masq_ftp
From: Iain <iain@minihub.org>
Date: Sat, 24 Nov 2001 16:34:49 +1100
Message-id: <[🔎] FKeYZD.A.e3B._Iz_7@murphy>
In-reply-to: <[🔎] 20011124052854.A29834@lina.inka.de>
References: <[🔎] ayopkB.A.z0F.64u_7@murphy> <[🔎] 20011124052854.A29834@lina.inka.de>

On Sat, 24 Nov 2001 03:28, Bernd Eckenfels wrote:
> On Sat, Nov 24, 2001 at 11:44:48AM +1100, Iain wrote:
> > $IPCHAINS -A input -j ACCEPT -i $i -d $IPOFIF/32 -p tcp ! --syn
> >
> > Now this works fine for masquerading except for outgoing FTP. Passive FTP
> > works fine but normal FTP doesn't.
> >
> > Now I thought that this is what the ip_masq_ftp modules is for. And this
> > module works if I'm not blocking all incoming SYN packets.
>
> You need to allow the Masquerade Port Range to open incomming connections.
> Actually you can specify a port range for it. This is because the Input
> chain is consulted before the established check can apply. This is better
> solved in ipchains.

How do you specify a port range for it?

>
> Anyway, I do not recommend to allow active FTP inside anyway.

why not?

>
> > So I guess my question is, does ip_masq_ftp use a discrete range of ports
> > for FTP connections or does it use everything between 1024-65535?
>
> I dont have the 2.2 code here, but in 2.4 it is 61000 - 65095 (hardwired in
> the module).
>

thanks.

> Greetings
> Bernd

-- 
public key available at http://www.minihub.org/~iain/iain.asc

Reply to:

Follow-Ups:
- Re: ip_masq_ftp
  - From: Bernd Eckenfels <lists@lina.inka.de>

References:
- ip_masq_ftp
  - From: Iain <iain@minihub.org>
- Re: ip_masq_ftp
  - From: Bernd Eckenfels <lists@lina.inka.de>

Prev by Date: Re: ip_masq_ftp
Next by Date: Re: ip_masq_ftp
Previous by thread: Re: ip_masq_ftp
Next by thread: Re: ip_masq_ftp
Index(es):
- Date
- Thread