On Thu, Feb 20, 2003 at 04:49:22AM +1300, Richard Hector wrote: > On Wed, Feb 19, 2003 at 04:39:57AM -0800, Paul Johnson wrote: > > On Wed, Feb 19, 2003 at 03:02:33PM +1300, Richard Hector wrote: > > > Should that (ip_conntrack_ftp) work for a non-NAT filter as well? > > > > > > Or is there some other trick for that? > > > > I don't imagine it would, but then again, I've never tried it so I > > don't know firsthand. Care to try it and post the results? > > I tried it briefly - that is, I used modconf to install ip_conntrack_ftp. > It didn't work (still logged dropped packets when I tried to ls). > > Then I read something that suggested to me that maybe this module just > updates a table, and I need extra iptables rules to allow related > traffic. > > The combination of the hassle of reading about and doing this, and the > other article I read on 2.4/ftp vulnerabilities, and the fact that I > actually don't use ftp very much, made me decide it wasn't worthwhile > going further (at the moment, anyway). I'm fairly sure that ipt_conntrack_ftp can be used to let FTP through a non-MASQ'ing firewall, too, with judicious use of RELATED rules. No doubt iptables.org knows more than I do, though. Also try the archives of the debian-firewall list, it's agoldmine for information like this. -- Rob Weir <rweir@ertius.org> http://ertius.org/
Attachment:
pgpRZwrdwXyB3.pgp
Description: PGP signature