Re: FTP, iptables, and connection tracking
I was under the immpresion that it was save to allways accept
ESTABLISHED,RELATED?
iptables -I FORWARD -i $IFACE+ -o $IFACE+ -j REJECT\
--reject-with icmp-net-unreachable
iptables -A INPUT -i $IFACE+ -m state --state\
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IFACE+ -m state --state\
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE+ -m state --state\
ESTABLISHED,RELATED -j ACCEPT
--- Jerome Walter <walter@nexantis.net> wrote:
> hubix wrote:
> > The connection success, but for the LIST ftp command, my firewall
> block
> > packets with source and destination ports above 1024...
> > Does anyone know why ftp protocol don't use 20 an 21 ports for this
> > command, and how to configure my firewall to accept this packets
> without
> > breaking it ?
>
> FTP protocol tries first to set up as passive, with both parts using
> ports >1024.
> iptables handles this well, by just setting up connection tracking the
> good way. If you want ftp transfer in both directions, it seems you will
>
> have to accept ESTABLISHED,RELATED on tcp for both 20,21 destinated
> connections and >1024.
>
> It should be fairly secure if you restrict well combination of TCP flags
> and connection initiating sequence.
>
>
> Friendly,
>
>
> Jerome
>
> ATTACHMENT part 2 application/pgp-signature name=signature.asc
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
Reply to: