Re: ftp table

To: sathyainkara.balendra@yahoo.co.uk
Cc: debian firewall <debian-firewall@lists.debian.org>
Subject: Re: ftp table
From: Mark Chong <mark@stabat.com>
Date: Wed, 02 Jul 2008 18:02:05 +1000
Message-id: <[🔎] 486B35FD.9030704@stabat.com>
In-reply-to: <[🔎] 551671.50520.qm@web28211.mail.ukl.yahoo.com>
References: <[🔎] 551671.50520.qm@web28211.mail.ukl.yahoo.com>

-A INPUT -p tcp -s 212.74.114.60 --sport 20:21 -m state --state NEW -jACCEPT


this rule allows for that machine to make ANY connections to your machine

if you only want to make it so you can connect to it and on ftp, thenyou only need the output rule

also just FYI, just because your connecting to a machine on port 20 or21 does not mean you HAVE to talk ftp to that machine, same goes for anyportsfor example if you had a rule blocking all outgoing traffic except forport 80 would mean a user could connect to a remote machine over ssh ifthe remote machine had a ssh server listening on that port.



Sathyainkara Balendra wrote:

Thanks for ur helpful answers.
I am using following settings now and it works:
#FTP-TABLE
*filter

: INPUT DROP [0:0]
: FORWARD DROP [0:0]
: OUTPUT DROP [0:0]


-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -s 212.74.114.60 --sport 20:21 -m state --state NEW -jACCEPT-A OUTPUT -p tcp -d 212.74.114.60 --dport 20:21 -m state --state NEW-j ACCEPT
###################################################################

COMMIT


------------------------------------------------------------------------
Not happy with your email address?
Get the one you really want <http://uk.docs.yahoo.com/ymail/new.html>- millions of new email addresses available now at Yahoo!<http://uk.docs.yahoo.com/ymail/new.html>

Reply to:

References:
- ftp table
  - From: Sathyainkara Balendra <sathyainkara.balendra@yahoo.co.uk>

Prev by Date: ftp table
Next by Date: Re: ftp table
Previous by thread: ftp table
Next by thread: Re: ftp table
Index(es):
- Date
- Thread