On Jan 4 at 20:15, MaD dUCK (or reasonable facsimile) said: //snip
in a NAT'd LAN, how can one enable the use of genuine ftp clients (ncftp, wsftp) as well as netscape/ie that pretend to speak ftp, without allowing all connections to ports 1024+ on the firewall/masquerading host? //snip
One possible way to resolve the problem 1024+ is this (the idea comes from the SuSEfirewall script, but I forget how they did it... I think it is not carried through): # Which ports do programs use for unbound traffic: LOWPORT=10001 HIGHPORT=20000 # For the input chain (I jumped to server_i) echo "$LOWPORT $HIGHPORT" > /proc/sys/net/ipv4/ip_local_port_range ipchains --append server_i -p TCP --dport $LOWPORT:$HIGHPORT -j ACCEPT ipchains --append server_i -p UDP --dport $LOWPORT:$HIGHPORT -j ACCEPT # # other rules for services we expose go here (including ICMP's not shown) ipchains --append server_i -p TCP --dport 22 -j ACCEPT ipchains --append server_i -j DENY So, the server is allowed to make ANY outgoing connections it pleases, but there is no requirement to expose common services in the >1024 port range (e.g. mysql at 3306). It is a good idea to do this BEFORE starting services that make connections, since they will have the data denied if they use ports in the range 1024-4096 as is default. (I can't figure out if someone said this already among all the helpful ideas posted). &:-) -- This is joke number 92