Hi list,
im having a problem with proftpd access when my firewall is running. Im using centos 4.3 with proftpd-1.2.10-10.2.el4.rf
i haven't done any modification from my proftpd i just run the server. my iptables ruleset is very simple i use stateful routing.
iptables -A INPUT -i ! $WAN -j ACCEPT iptables -A INPUT -i $WAN -m state --state NEW -p tcp --dport 21 -j ACCEPT
im having a problem with proftpd access when my firewall is running. Im using centos 4.3 with proftpd-1.2.10-10.2.el4.rf
i haven't done any modification from my proftpd i just run the server. my iptables ruleset is very simple i use stateful routing.
iptables -A INPUT -i ! $WAN -j ACCEPT iptables -A INPUT -i $WAN -m state --state NEW -p tcp --dport 21 -j ACCEPT
I suspect your problem might be related to PASV ftp jumping up to a higher power. You need to set an upper and lower port bound for PASV ftp, or enable ftp connection tracking by loading the appropriate iptables module.
oh yeah. what's the right module for the iptables?
On 8/31/06, Jim Perrin jperrin@gmail.com wrote:
im having a problem with proftpd access when my firewall is running. Im using centos 4.3 with proftpd-1.2.10-10.2.el4.rf
i haven't done any modification from my proftpd i just run the server.
my
iptables ruleset is very simple i use stateful routing.
iptables -A INPUT -i ! $WAN -j ACCEPT iptables -A INPUT -i $WAN -m state --state NEW -p tcp --dport 21 -j
ACCEPT
I suspect your problem might be related to PASV ftp jumping up to a higher power. You need to set an upper and lower port bound for PASV ftp, or enable ftp connection tracking by loading the appropriate iptables module.
-- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Mark Quitoriano wrote:
oh yeah. what's the right module for the iptables?
ip_conntrack_ftp comes to mind.
And please don't toppost. Thanks.
Regards,
Ralph
On 8/31/06, Ralph Angenendt ra+centos@br-online.de wrote:
Mark Quitoriano wrote:
oh yeah. what's the right module for the iptables?
ip_conntrack_ftp comes to mind.
yup i got it. just modprobe ip_conntrack_ftp and everything works perfectly.
And please don't toppost. Thanks.
sorry about that.
-
Jim Perrin -
Mark Quitoriano -
Ralph Angenendt