On Sun, 2011-05-01 at 03:32 +0200, Carlos E. R. wrote:
Perhaps the syntax is wrong. The comment says:
## Type: string ## Default: # # Services to allow that are considered RELATED by the connection tracking # engine. # # Format: space separated list of net,protocol[,sport[,dport]] # # Example: # Allow samba broadcast replies marked as related by # nf_conntrack_netbios_ns from a certain network: # "192.168.1.0/24,udp,137" #
What is sport,dport? There is no example there for ftp :-(
sport = Source Port dport = Destination Port. For an FTP connection that's the bad part. The control port (21) is rather simple: On the server, source port typically is between 1024 and 65k and dport is 21. The data port is much worse. And it all depends between active and passive sessions. Are you using TLS over FTP? Then the entire conntracking does not work (the PORT command is transmitted encrypted, the kernel doesn't see it and can't open the respective ports). What I have in my FW config (sorry, iptables.. but you can translate this to your setup) chain INPUT: ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:20:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:61052:61057 chain OUTPUT: ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:20:21 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:61052:61057 state RELATED,ESTABLISHED my vsftp.conf contains to make this work in passive mode: pasv_min_port=61052 pasv_max_port=61057 Hope this helps you a bit out. Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org