On Sun, 20 Oct 2002, Cesare Fontana wrote:
> At 18.39 20/10/2002 +0200, yoann wrote:
> >Hi all,
> >
> >I have a little problem with my proftpd server and my firewall
> >I have a sarge, kernel 2.4.19 (custom).
> >I have open the 2 port 20 and 21 but when someone try to connecte on it he
> >can't get the file list.
>
>
> if the client try to use a passive ftp protocol you have to insert, for
> example, in your /etc/proftpd.conf
>
> PassivePorts 60000 60500
>
>
> and accept incoming connection to the port range: 60000,60500
Another way to fix this, is to use the ip_conntrack_ftp module. This
will make things easier for you.
if [ -e /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then
modprobe ip_conntrack_ftp
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
fi
(Sorry for long lines).
This will make netfilter keep track of connections that are related to
the initial ftp connection, and make sure they are let through.
This one rule will also make your other ftp rules unneccessary I think.
Someone who understands this better than me can explain it better.
It might be that there are security-implications I'm not aware
of if you use this method aswell. I don't really know, so I leave it up
to others to comment on the security issues with this approach.
--
Greetings,
Alf B Lervåg
Attachment:
pgp8fxIye20Sm.pgp
Description: PGP signature