In the ipchains howto I read: Passive FTP handled by masq. module.
with the following rules: ipchains -A good-bad -p tcp --dport www -j MASQ ipchains -A good-bad -p tcp --dport ssh -j MASQ ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ ipchains -A good-bad -p tcp --dport ftp --j MASQ ipchains -A good-bad -p icmp --icmp-type ping -j MASQ ipchains -A good-bad -j REJECT -l Frankly I cannot see how passive FTP is supposed to work. Yes, the masq. module does take care of the masquerading stuff, but does it also create a rule for the port? Well that would be new to me. The way I interpret these rules I can connect to ports 80, 22, 21 and these traceroute ports. And that's it. With passive ftp I also have to connect to a port above 1024. But these rules won't forward that port, do they? I would love to see a way to block all user ports except selected ones. Michael -- Michael Meskes | Go SF 49ers! Th.-Heuss-Str. 61, D-41812 Erkelenz | Go Rhein Fire! Tel.: (+49) 2431/72651 | Use Debian GNU/Linux! Email: [email protected] | Use PostgreSQL!
