Hello Ian, Friday, July 18, 2003, 3:47:30 PM, you wrote:
I do not understand why this allows masqueraded clients to access active FTP resources. Well, without masq I think the "RELEATED" option of iptables does the trick.
It does ( if ip_conntrack_ftp is loaded )
It is.
Active FTP may go beyond the scope of the SuSEfirewall2 tool. It's just an assumption. I never used SuSEfirewall2. Is it an option for you to use iptables without that SuSE tool? Why do you not take a look at Shorewall you can mix iptable commands with simple easy type rules. You can find it at http://www.shorewall.net/
I wanted to keep it simple and so use the SuSE supplied script which is already working on two other setups (which are not that complex as in this case). Shorewall may be an option, but I´m still curious what this flags thing is for: Rule created by SuSEfirewall2 which does _not_ work with unmasqued active ftp-connections: 0 ACCEPT tcp -- * * 192.168.0.1 10.1.1.1 state RELATED,ESTABLISHED tcp spt:20 flags:!0x16/0x02 A rule without the "flags:!0x16/0x02" part does the job. Maybe you can point me to some howto what this flags things are and why they are used by SuSEfirewall2 by default? -- Best regards, André mailto:Andre.Saenger@gmx.de