On Sunday 01 April 2001 16:42, Sven Burgener wrote: > Hello all > > Are there any example ipchains commands for both active and passive FTP > on a server and on a client. > > If not, where is an authoritive document that'd give me enough > information to figure out exactly which ports are needed for both > the client and the server for both active and passive FTP ... ?
In my experience, you'll have to stick with passive, even though this is a pain sometimes. The reason for this is, that (IIRC) active FTP support multiple data-channels, and the way it does this is, that the /client/ tells the server to open a /new/ connection on a port, specified by the client. This poses a serious problem in most firewall setups, especially those using NAT, since the connection-tracking code can't cope with dynamically opening ports (and shouldn't, either!) Just as a sidenote, the /only/ reason there is IMHO to use active FTP is because the client can't be configured otherwise. It either blows major holes in your firewall, or opens another can of worms if you try to insert the kernel module supporting active FTP, since it assumes that as soon as it sees a packet matching the one that will tell the server where to connect, the next connection should go to the client. Not pretty if 2 machines (not even talking about 10!) try to ftp to the same site!! I hope this info helps :) Rgds Kenneth Schmidt
