Tom Allison wrote: > FTP seems to be one of those evils... > > I'm getting stuck on this passive FTP firewalling, where you accept > hi-port (>1023) to hi-port connections for FTP. Stateful packet matching makes this easy: iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Connection tracking support, state matching support, and FTP tracking support must be enabled (either compiled in or as modules). Adam