[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

On 16/09/2004 Daniel Pittman wrote:
> >> This is the old way of doing things, "OUTPUT -p tcp --sport <L-1> -m state
> >> --state NEW" should work fine.
> >
> > does this show the port as open in portscans?
> 
> No, since it is an output rule.  Port scanning only concerns INPUT and
> FORWARD rules, since it requires a packet coming in.

yea, i got that. thanks for the information.

> > so but if firehol takes care off the default ftp port, it should
> > consider this, and though already open these ports for passive ftp,
> > shouldn't it? daniel, can you tell us?
> 
> Firehol does read the ip_local_port_range sysctl and use that for rules
> on the INPUT/OUTPUT chains.  It allows almost anything for rules on the
> FORWARD chain since it cannot assume anything about the machines it is
> acting as an IP forwarder for.
> 
> >>> what i'm wondering about: does firehol do this for port 20 with it's
> >>> complex ftp service?
> 
> You can see what it sets up in the file /etc/firehol/firehol, line 878.
> 
> A quick check says that it does take into account both active and
> passive FTP, and does use the default local port range.

that's cool, so i only need to open the source ports for active ftp,
L-1, 209, 214, 219, 224, 229, in my case, not the ports for passive ftp.

bye
 jonas
Reply to: