15 Aug
2003
15 Aug
'03
10:14
On Thu, Aug 14, 2003 at 03:56:07PM +0200, André Sänger wrote:
Rule created by SuSEfirewall2 which does _not_ work with unmasqued active ftp-connections: 0 ACCEPT tcp -- * * 192.168.0.1 10.1.1.1 state RELATED,ESTABLISHED tcp spt:20 flags:!0x16/0x02
A rule without the "flags:!0x16/0x02" part does the job. Maybe you can point me to some howto what this flags things are and why they are used by SuSEfirewall2 by default?
You get theese flags if there is a rule specification "! --syn" (or the
equivalent --tcp-flags as described in iptables(8)). It looks
strange to me, because the SYN paket is what has to be treated
special if active ftp should work. Maybe someone mixed it up and
inverted the test?
--
Stefan Tichy