Hello, Am Mittwoch, 5. November 2008 schrieb Ludwig Nussel:
Christian Boltz wrote:
However, I wonder about two things: - shouldn't the nf_conntrack_ftp module handle this and open the needed highport automatically? - why does FTP work on a 10.2 server without opening a port range? (I use ip_conntrack_ftp there)
Didn't you read the release notes? :-)
Usually I do, but I must have missed this part. Or I forgot about it in the meantime - 11.0 is quite old, at least for people who do their daiy work on a 11.1 beta4 ;-)
See FW_SERVICES_ACCEPT_RELATED_EXT. In previous releases RELATED packets were accepted unconditionally.
Ah, that's it. Thanks for the pointer! I think I have found a working configuration now, at least it worked on a first test: /etc/vsftpd.conf: pasv_min_port=20000 pasv_max_port=21000 /etc/sysconfig/SuSEfirewall2: FW_SERVICES_ACCEPT_RELATED_EXT="0/0,tcp,,20000:21000" Regards, Christian Boltz -- dd ist es herzlich egal was fuer ein FS auf der Platte ist es kopiert die Platte mit Haut und Haaren. [Ruediger Meier in suse-linux] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org