30 Nov
2005
30 Nov
'05
5:31 p.m.
Aleksandar Milivojevic wrote on Wed, 30 Nov 2005 09:16:34 -0600:
For example, the correct way to allow active FTP data connection, you would allow packet in only if it is sent from port 20 (-p tcp --sport 20), *and* it is connection to high port (preferrably in 49152-65534 range, although some broken FTP servers use entire 1024-65534 range, but definettely high port) (--dport 49152:65534) *and* related to existing FTP control channel (-m state --state RELATED) *and* it was marked as related by ftp helper module (-m helper --helper ftp).
Is that "helper" identical with the ip_conntrack_ftp module or is this something different?
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org