Vince Hoang wrote: ...
To run an FTP server that supports both PASV and PORT mode, you will have to also allow incoming connections to your ephemeral port range.
Bad way to do it, just use the conntrack helper (and nat module if you're forwarding the port too, I guess if you're not forwarding it you don't need the nat module, but it doesn't hurt).
> ...
It is probably because your client defaulted to passive mode. Active mode should work with the current setup.
Correct. In "active" (PORT) mode, the server connects to the client for the data connection. My script allows all outbound activity, so this doesn't cause any problems. In "passive" (PASV) mode, the client connects to the server for the data connection. This is more friendly to client side firewalls and is what one would expect (client connect to server is normal way to retreive requested data after all). However, it breaks server side firewalls. Basically, if the client is firewalled, passive needs to be used, and if the server is firewalled, active needs to be used. If both are firewalled, FTP will not work (data connection will be blocked) unless the firewall can make accomodations. IPTables can do this statefully, only allowing connects to the FTP port range that are actually the result of a PASV command issued on the control connection.
HTH, -Vince
--MonMotha -- Optimist: The glass is half full. | PGP Key: 0x1B0390E0 Pessimist: The glass is half empty. | Outgoing mail signed Engineer: The glass is twice as big as it needs to be. | [EMAIL PROTECTED]
pgp01682IgLw1.pgp
Description: PGP signature
