Re: iptables not so stateful
Eric Gaumer <gaumerel@titan.ecs.fullerton.edu> writes:
> Then you have a bunch of high end ports open. Connection tracking
> doesn't work with active FTP because it is a server initiated
> connection.
Check out the iptables documentation page.
"RELATED
A packet which is related to, but not part of, an existing
connection, such as an ICMP error, or (with the FTP module
inserted), a packet establishing an ftp data connection."
This is in connection with the state option for iptables. Active ftp
works with connection tracking, and I've tried it.
> That's one of the main reasons passive exists. If the server
> picks a port at random, then there is no way the client can anticipate
> what port to open.
passive exists because of some firewall (like the older ipchains) didn't
have connection tracking.
Check out this website too:
http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
--
John L. Fjellstad
web: http://www.fjellstad.org/ Quis custodiet ipsos custodes
Reply to: