Re: FTP, iptables, and connection tracking

To: Debian Firewall - LIST <debian-firewall@lists.debian.org>
Subject: Re: FTP, iptables, and connection tracking
From: Jerome Walter <walter@nexantis.net>
Date: Wed, 09 Jun 2004 17:07:37 +0900
Message-id: <[🔎] 40C6C549.6010002@nexantis.net>
Reply-to: walter@nexantis.net
In-reply-to: <[🔎] 40C6C315.9090901@free.fr>
References: <[🔎] 40C6C315.9090901@free.fr>

hubix wrote:

The connection success, but for the LIST ftp command, my firewall blockpackets with source and destination ports above 1024...Does anyone know why ftp protocol don't use 20 an 21 ports for thiscommand, and how to configure my firewall to accept this packets withoutbreaking it ?

FTP protocol tries first to set up as passive, with both parts usingports >1024.iptables handles this well, by just setting up connection tracking thegood way. If you want ftp transfer in both directions, it seems you willhave to accept ESTABLISHED,RELATED on tcp for both 20,21 destinatedconnections and >1024.


It should be fairly secure if you restrict well combination of TCP flags
and connection initiating sequence.


Friendly,


Jerome

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: FTP, iptables, and connection tracking
  - From: Mike Mestnik <cheako911@yahoo.com>

References:
- FTP, iptables, and connection tracking
  - From: hubix <hubix@free.fr>

Prev by Date: FTP, iptables, and connection tracking
Next by Date: Re: dns firewalls and mx records for internally hosted domains
Previous by thread: FTP, iptables, and connection tracking
Next by thread: Re: FTP, iptables, and connection tracking
Index(es):
- Date
- Thread