* Knut Erik Hauslo wrote on Thu, Jul 17, 2003 at 10:48 +0200:
Without masquerading, and allowed FTP, I only got this working by additionally open ports 1024-65535.
Which of course opens all high ports for any attacker. Using port 20 (or 53) as source in attacks is quite common.
Now, suppose you allow outgoing 20,21 for FTP, you'd also need to open incoming high ports. Unfortunately, this parameter does not seem to work if you do not masquerade, so you need to add a forwarding rule which permits high ports from the outside world. This again leaves those ports always open, not only when FTP sessions needs them.
With masquerading, this worked fine: FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21 172.19.0.0/16,0/0,tcp,80" FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
I do not understand why this allows masqueraded clients to access active FTP resources. Well, without masq I think the "RELEATED" option of iptables does the trick. Active FTP through masq requires somethink like ip_masq_ftp or however it is called these days (ip_conntrack?), doesn't it? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.