Re: ProFTPd behind firewall

To: debian-isp@lists.debian.org
Subject: Re: ProFTPd behind firewall
From: Gavin Hamill <gdh@acentral.co.uk>
Date: Thu, 21 Aug 2003 20:12:48 +0100
Message-id: <[🔎] 20030821191248.GA769@acentral.co.uk>
In-reply-to: <[🔎] 37afd98b45b347ae985bb0a0fb204f1f@atlas.cz>
References: <[🔎] 37afd98b45b347ae985bb0a0fb204f1f@atlas.cz>

On Thu, Aug 21, 2003 at 08:39:05PM +0200, Ahton?n Kar?sek wrote:
> PassivePorts                    2000 2200
> 
> But ProFTP seem not to read this :) It's not possible to build firewall without this feature :(
> Is there anybody knows, where the problem can be?

Is the firewall in question a Linux iptables one, or something 
proprietary? 

If it's iptables, then you shouldn't need to do any of this, since 
you can make use of statefulness in netfilter..

Load the ip_conntrack_ftp module if needed, and allow allowing port 21
TCP to that machine, and ensure that packets in the FORWARD chain
(assumes the firewall is a seperate machine, as it should be) are
accepting ESTABLISHED and RELATED connections :) 

Something like

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

(the syntax might be a little different, I can't check docs/google from
here..)

Then you won't need to open any ranges at all, and can live safe in the 
knowledge iptables is keeping you secure :)

Cheers,
Gavin.

Reply to:

References:
- ProFTPd behind firewall
  - From: "Ahtonín Karásek" <mr.phobos@atlas.cz>

Prev by Date: ProFTPd behind firewall
Next by Date: mysql problem
Previous by thread: ProFTPd behind firewall
Next by thread: Re: ProFTPd behind firewall
Index(es):
- Date
- Thread