On Sat, 2004-08-14 at 01:19, John Summerfield wrote: > >You have to use passive FTP for connection tracking to work. If you use > >active then the connection tracking module wont be able to follow the > >connection. > > > > > > My firewall is a Powermac running Woody plus shorewall. > As you can see, I do not need to use passive ftp. I've always thought > that's what connection tracking's for. > > Here are my shorewall rules: > fw:/etc/shorewall# grep -v ^# rules Then you have a bunch of high end ports open. Connection tracking doesn't work with active FTP because it is a server initiated connection. That's one of the main reasons passive exists. If the server picks a port at random, then there is no way the client can anticipate what port to open. On the other hand, if the client is allowed to negotiate the port, then it can open up the port it wants to use and accurately track the connection. http://slacksite.com/other/ftp.html Run tcpdump or snort and you'll find you have some open ports you weren't aware of (lots actually). At any rate, run some type of port scan because I suspect you have some gaping holes in your firewall.
Attachment:
signature.asc
Description: This is a digitally signed message part