On Thursday 22 January 2009 17:28, Agile Aspect wrote:
Regarding item (2), I would guess I would have to add the following entries:
Active:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 --sport 40000:60000 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 20 --dport 40000:60000 -j ACCEPT
All FTP connecting begin with port 21. Port 20 is a DATA connection. ip_conntrack_ftp will track connection needing the Data port open.
Passive:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 40000:60000 --sport 40000:60000 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 40000:60000 --dport 40000:60000 -j ACCEPT
Do you have a rule like this:
-A OUTPUT --m state --state RELATED,ESTABLISHED -j ACCEPT
If not you should place this in your rules. This rule eleminates the need to continuesly add rules to allow out going connection for allowed incoming connection.
If you do then you should not need the OUTPUT rules you listed above.