[luau] Iptables firewall question
MonMotha
monmotha at indy.rr.com
Fri Jan 10 12:26:00 PST 2003
Vince Hoang wrote:
...
> To run an FTP server that supports both PASV and PORT mode, you
> will have to also allow incoming connections to your ephemeral
> port range.
Bad way to do it, just use the conntrack helper (and nat module if you're
forwarding the port too, I guess if you're not forwarding it you don't need the
nat module, but it doesn't hurt).
>
...
> It is probably because your client defaulted to passive mode.
> Active mode should work with the current setup.
>
Correct. In "active" (PORT) mode, the server connects to the client for the
data connection. My script allows all outbound activity, so this doesn't cause
any problems. In "passive" (PASV) mode, the client connects to the server for
the data connection. This is more friendly to client side firewalls and is what
one would expect (client connect to server is normal way to retreive requested
data after all). However, it breaks server side firewalls. Basically, if the
client is firewalled, passive needs to be used, and if the server is firewalled,
active needs to be used. If both are firewalled, FTP will not work (data
connection will be blocked) unless the firewall can make accomodations.
IPTables can do this statefully, only allowing connects to the FTP port range
that are actually the result of a PASV command issued on the control connection.
> HTH,
> -Vince
--MonMotha
--
Optimist: The glass is half full. | PGP Key: 0x1B0390E0
Pessimist: The glass is half empty. | Outgoing mail signed
Engineer: The glass is twice as big as it needs to be. | monmotha at indy.rr.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 252 bytes
Desc: not available
URL: <http://lists.freesoftwarehawaii.org/pipermail/luau-freesoftwarehawaii.org/attachments/20030110/3d40df29/attachment-0001.pgp>
More information about the LUAU
mailing list