* Jörg Schütter <joerg.schuetter@gmx.de> [010524 13:52]:
Also no tcp needed. You should make shure that all pakets have no syn-bit set. ipchains -A input -p udp -s $REMOTENET -d $OUTERNET
1024:5000 ! -y -j ACCEPT
One question here what will be the effect of this 1024:5000 to: 1) real audio as it is using 7070. AFAIU I have to open 7070:7071 for realaudio then.
Yes, of course. Open what you need.
2) When I do ftp lets say suse.com do I have to specify a port again
We have to differ between two types of ftp. Passive and active ftp. If you use active ftp the requested ftp server will decide what ftp data port to use. Then you must allow tcp-syn packets to you. If you decide use passive ftp (most of the ftp servers support that) then the requested ftp server leaves it up to your nat device or ftp proxy how to communicate with the ftp server. No tcp-syn to your box is needed then. In your case (you don't run any servers, don't you?) tcp-syn goes only in one direction. From you to the internet. Never from the inet to you. Best would be by using tcp dump or iptraf to analyze the traffic of passive and active ftp to see the difference.