Re: ProFTPd behind firewall
On Thu, Aug 21, 2003 at 08:39:05PM +0200, Ahton?n Kar?sek wrote:
> PassivePorts 2000 2200
>
> But ProFTP seem not to read this :) It's not possible to build firewall without this feature :(
> Is there anybody knows, where the problem can be?
Is the firewall in question a Linux iptables one, or something
proprietary?
If it's iptables, then you shouldn't need to do any of this, since
you can make use of statefulness in netfilter..
Load the ip_conntrack_ftp module if needed, and allow allowing port 21
TCP to that machine, and ensure that packets in the FORWARD chain
(assumes the firewall is a seperate machine, as it should be) are
accepting ESTABLISHED and RELATED connections :)
Something like
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
(the syntax might be a little different, I can't check docs/google from
here..)
Then you won't need to open any ranges at all, and can live safe in the
knowledge iptables is keeping you secure :)
Cheers,
Gavin.
Reply to: