Re: open ports with firehol
I thought CT was where Linux would see the ftp PORT cmd and expect the
responding incomming connection. There is also a need to nat the PORT
command this should be provided by the ftp-nat mod. With the PASV ftp cmd
there should also be an expected outgoing connection.
This may be a missing feature of the linux kernel. Thought it should be
fixed there and not in some fierwall script or daemon.
--- Daniel Pittman <daniel@rimspace.net> wrote:
> On Wed, 28 Apr 2004, Mike Mestnik wrote:
> > --- Daniel Pittman <daniel@rimspace.net> wrote:
> >> On Wed, 28 Apr 2004, Mike Mestnik wrote:
> >> > Dose not connection tracking take care of both active and passive
> >> > FTP?
> >>
> >> > These both should fall under state RELATED not state NEW.
> >>
> >> The firehol script treats it as a complex service, because there are
> >> connections going both ways. If you look at the relevant function in
> >> /lib/firehol/firehol (line 869) you will see what firehol does to set
> >> it up.
> >>
> >> Regards,
> >> Daniel
> >
> > Is there any work underway to support netfilter's connection tracking
> > in firehol? This is something I could help ought with, thought I'm not
> > an expoert on netfilter.
>
> I am sorry if I was at all misleading - the firehol script *is* using
> the FTP connection tracking already. The complexity comes from the need
> to set up several rules, allowing for the return connections as well as
> the established ones, as I understand it.
>
> Daniel
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
http://hotjobs.sweepstakes.yahoo.com/careermakeover
Reply to: