On Wed, 2006-11-01 at 23:14 +0100, Leen de Braal wrote:
Hello All!
I have a box that is acting as a masquerading firewall between a lan and the great WWW. I used to have a rule for a subnet of machines that were only allowed to FTP due to web abuse issues. This was in SuSEfirewall2 in 9.1. I have just upgraded to 10.0 and now Active FTP is broken. The relative lines were:
192.168.20.224/28,0/0,tcp,20 192.168.20.224/28,0/0,udp,20 192.168.20.224/28,0/0,tcp,21 192.168.20.224/28,0/0,udp,21
in FW_MASQ_NETS. It worked great. Now my FTP clients stop dead in their tracks at the PORT command.
Try the last block (nr 32.) in SFW:
FW_LOAD_MODULES="ip_nat_ftp"
That fixed it. After a little research, I see these kernel modules are directly applicable to netfilter / iptables. Is there somewhere that they are well documented? I searched http://www.netfilter.org/ for a while and couldn't find any clear detail on ip_nat_ftp and ip_conntrack_ftp or if there's even any other modules that might be useful. Thanks! Mike