also sprach Tom Stepleton (on Thu, 04 Jan 2001 03:12:06PM -0500):

don't quite get your question, but isn't the problem you're talking about what modules like ip_masq-ftp are for? I'm not sure this helps since these modules are for the masquerading aspect of firewalling and not the blocking aspect, but AFAIK these do pay attention to what's going on on the protocol level and open ports accordingly. I know I had to load ip_masq_ftp to get FTP working through my firewall, but I don't know exactly what you're doing with NAT or much about NAT to beigin with.

mh. these modules... now i remember. i read about them at one point in time, all excite about ip_masq_icq.o just so that i can let LAN users use ICQ on the MASQ'd net, but as it turns out, on my 2.2.17 kernel, these modules aren't even necessary: root@albatross ~> lsmod Module Size Used by b1pci 3992 1 (autoclean) b1 16320 0 (autoclean) [b1pci] capidrv 24840 3 (autoclean) kernelcapi 18516 2 (autoclean) [b1pci capidrv] capiutil 22400 0 (autoclean) [capidrv kernelcapi] slip 7856 2 (autoclean) autofs 9120 1 (autoclean) isdnloop 12628 6 (autoclean) isdn 112288 6 (autoclean) [capidrv isdnloop] yet, icq, ftp, irc and other work perfectly fine... i am not sure i know exactly what the purpose of these modules is. sure, ip_masq_quake is needed because quakeworld servers don't work with ports 6xxxx or whatever, and ip_masq_irc simply enables DCC transfers, but just take ip_masq_ftp and i am clueless. look at the following tcpdump output which is everything merlin ever has to say to my computer during an ftp session (until the password prompt), without ip_masq_ftp loaded: root@albatross ~> tcpdump -qi ippp0 src host 130.58.218.7 | grep -v auth 21:39:22.669348 < merlin.sccs.swarthmore.edu.ftp > pD4B8911C.dip.t-dialin.net.61822: tcp 0 (DF) 21:39:25.709893 < merlin.sccs.swarthmore.edu.ftp > pD4B8911C.dip.t-dialin.net.61822: tcp 69 (DF) 21:39:26.580174 < merlin.sccs.swarthmore.edu.ftp > pD4B8911C.dip.t-dialin.net.61822: tcp 0 (DF) 21:39:26.585833 < merlin.sccs.swarthmore.edu.ftp > pD4B8911C.dip.t-dialin.net.61822: tcp 36 (DF) sure, no data is transfered, but the point is - these are packets coming into interface ippp0, destined to be demasqueraded, on ports above 60000. if i had blocked 1024 and up, they would have never arrived, and the ftp session would have never been established. now, the same output with ip_masq_ftp loaded: 21:39:53.570288 < merlin.sccs.swarthmore.edu.ftp > pD4B8911C.dip.t-dialin.net.61832: tcp 0 (DF) 21:39:56.399793 < merlin.sccs.swarthmore.edu.ftp > pD4B8911C.dip.t-dialin.net.61832: tcp 69 (DF) 21:39:57.163834 < merlin.sccs.swarthmore.edu.ftp > pD4B8911C.dip.t-dialin.net.61832: tcp 0 (DF) 21:39:57.170270 < merlin.sccs.swarthmore.edu.ftp > pD4B8911C.dip.t-dialin.net.61832: tcp 36 (DF) unless i am totally not getting this, the output has two messages: ip_masq_ftp doesn't do anything to facilitate firewalling on the gateway machine, and (2), in only 31 seconds, my LAN made 10 connections to the outside world. no way i can just leave "some" ports open... anyway, i just checked and ip_masq_ftp is to enable active ftp transfers, nothing to do with passive... i don't think there's any way around a stateful firewall... and it's not just ftp: 22:08:25.052026 < merlin.sccs.swarthmore.edu.ssh > pD4B8911C.dip.t-dialin.net.61893: tcp 36 (DF) with an external interface ippp0, ipchains just needs a rule like ipchains -A input -p tcp -d 0/0 1024:65536 -j ACCEPT to work... thanks for your time anyway! martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- an avocado-tone refrigerator would look good on your resume.