But, if I disable this line is gives me following:
ftp> ls
200 PORT command successful.
425 Can't build data connection: Operation timed out
ftp>
--- On *Wed, 2/7/08, Mark Chong /<mark@stabat.com>/* wrote:
From: Mark Chong <mark@stabat.com>
Subject: Re: ftp table
To: sathyainkara.balendra@yahoo.co.uk
Cc: "debian firewall" <debian-firewall@lists.debian.org>
Date: Wednesday, 2 July, 2008, 8:02 AM
-A INPUT -p tcp -s 212.74.114.60 --sport 20:21 -m state --state NEW -j
ACCEPT
this rule allows for that machine to make ANY connections to your machine
if you only want to make it so you can connect to it and on ftp, then
you only need the output rule
also just
FYI, just because your connecting to a machine on port 20 or
21 does not mean you HAVE to talk ftp to that machine, same goes for any
ports
for example if you had a rule blocking all outgoing traffic except for
port 80 would mean a user could connect to a remote machine over ssh if
the remote machine had a ssh server listening on that port.
Sathyainkara Balendra wrote:
> Thanks for ur helpful answers.
> I am using following settings now and it works:
> #FTP-TABLE
> *filter
>
> : INPUT DROP [0:0]
> : FORWARD DROP [0:0]
> : OUTPUT DROP [0:0]
>
>
> -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> -A INPUT -p tcp -s 212.74.114.60 --sport 20:21 -m state --state NEW -j
> ACCEPT
> -A OUTPUT -p tcp -d 212.74.114.60 --dport 20:21 -m state --state NEW
>
-j ACCEPT
>
> ###################################################################
>
> COMMIT
>
>
> ------------------------------------------------------------------------
> Not happy with your email address?
> Get the one you really want
<http://uk.docs.yahoo.com/ymail/new.html>
> - millions of new email addresses available now at Yahoo!
> <http://uk.docs.yahoo.com/ymail/new.html>
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
------------------------------------------------------------------------
Not happy with your email address?
Get the one you really want <http://uk.docs.yahoo.com/ymail/new.html>
- millions of new email addresses available now at Yahoo!
<http://uk.docs.yahoo.com/ymail/new.html>