On Sun, 20 Oct 2002, Cesare Fontana wrote: > At 18.39 20/10/2002 +0200, yoann wrote: > >Hi all, > > > >I have a little problem with my proftpd server and my firewall > >I have a sarge, kernel 2.4.19 (custom). > >I have open the 2 port 20 and 21 but when someone try to connecte on it he > >can't get the file list. > > > if the client try to use a passive ftp protocol you have to insert, for > example, in your /etc/proftpd.conf > > PassivePorts 60000 60500 > > > and accept incoming connection to the port range: 60000,60500 Another way to fix this, is to use the ip_conntrack_ftp module. This will make things easier for you. if [ -e /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT fi (Sorry for long lines). This will make netfilter keep track of connections that are related to the initial ftp connection, and make sure they are let through. This one rule will also make your other ftp rules unneccessary I think. Someone who understands this better than me can explain it better. It might be that there are security-implications I'm not aware of if you use this method aswell. I don't really know, so I leave it up to others to comment on the security issues with this approach. -- Greetings, Alf B Lervåg
Attachment:
pgp8fxIye20Sm.pgp
Description: PGP signature