![](https://seccdn.libravatar.org/avatar/e1c33f61b7070765931d0219bfe6c59d.jpg?s=120&d=mm&r=g)
LLLActive@GMX.Net wrote:
Rui But what Rui mentions about ip_conntrack_ftp is something I read elsewhere as well. What does it do, and what does 'ip_nat_ftp' do?
Well, ip_conntrack_ftp "knows" that a certain IP is connected to ftp port. When your ftp client asks for data, the ftp server informs the client that the LISTEN port is xxx but, that xxx port is usually closed by all firewalls, so when the client tries to connect to that xxx port, it gets rejected. This is where ip_conntrack_ftp comes in. It "automatically" allows that IP ( client ) to connect to the xxx port. Of course, the previous will only work if your ftp server is on the firewall machine. If it does not, you will need ip_nat_ftp module to allow that kind of behavior for a private internal IP address ( ftp server ). By all means I am not an iptables GURU. Probably a few other participants will enlighten us all about this subject. PS: ip_conntrack_ftp and ip_nat_ftp are considered an extra security risk. Many ftp servers allows you to use EPSV ( Extended PaSsiVe mode ). In this mode the server will inform the client that it should connect to a xxx port, witch will be in a port range that you provide. This way you can reserve x number of ports just, and only, for FTP passive connections. -- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org