Hi Vadim!
I need active ftp from firewall host, and I have to set FW_ALLOW_INCOMING_HIGHPORTS="ftp-data". In this case active ftp works, but SuSEfirewall2 allows incoming connections from port 20 to any high TCP port.
There is a known bug in v2.1 of SuSEfirewall2 as shipped with SuSE 8.0 which prevents active FTP from working correctly. If you need active FTP from the firewall, you can try to apply the following patch and tell me if it worked. AFAIK, this bug is fixed in v3.1 (SuSE 8.1). Regards, Andy --- SuSEfirewall2.orig Sat Mar 23 20:24:47 2002 +++ SuSEfirewall2 Tue Nov 5 00:18:48 2002 @@ -931,9 +931,11 @@ DONE_ALL=no test "$FW_ALLOW_INCOMING_HIGHPORTS_TCP" = yes || { + for CHAIN in input_int input_dmz input_ext; do $LAC $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p tcp --dport 1024:65535 --syn $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p tcp --dport 1024:65535 $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -p tcp --dport 1024:65535 + done } for j in $FW_ALLOW_INCOMING_HIGHPORTS_TCP; do case "$j" in @@ -1089,8 +1091,10 @@ DONE_ALL=no test "$FW_ALLOW_INCOMING_HIGHPORTS_UDP" = yes || { + for CHAIN in input_int input_dmz input_ext; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp --dport 1024:65535 $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state ESTABLISHED,RELATED -p udp --dport 1024:65535 + done } for j in $FW_ALLOW_INCOMING_HIGHPORTS_UDP; do case "$j" in