Jacco wrote:
On Fri, 13 May 2005 15:45:11 +1200, Llanzlan Klazmon wrote:
It provides for connection tracking to monitor an ftp control port to
pick up any ftp commands that will cause an associated data port to be
openned. The SYN packet for the ftp data will then be matched by the
"RELATED" test. Note that ip_conntrack_ftp understands both passive and
active ftp data transfers. It's not specifically to do with a browser, it
is just the bizaro way the ftp protocol works. Any ftp client would
encounter the same issue and all firewalls have to be able to cope with
this nuisance.
Is conntrack_ftp and nat_ftp port specific or protocol specific? I tried
to contact an ftp server running on a non standard port from one linux
box though a nated linux box to the internet. It failed to do the
transfers. It works when I do ftp transfers on the normal port.
for this you need to load ip_conntrack_ftp or ip_nat_ftp module
(only work if ip_conntrack_ftp is compiled in module) with :
ip_conntrack_ftp ports=21,xxx,yyy,....
or
ip_nat_ftp ports=21,xxx,yyy,....
Klazmon
--
Weill Philippe - Administrateur Systeme et Reseaux
CNRS Service Aeronomie - Universite Pierre et Marie Curie -
Tour 45/46 3e Etage B302 - 4 Place Jussieu - 75252 Paris Cedex 05 - FRANCE
Email:philippe.weill@xxxxxxxxxxxxxxx | tel:+33 0144274759 Fax:+33 0144273776
|