Vince Hoang wrote:
My memory must be failing. Looking back at my homebrew iptables script, it _does_ use ip_conntrack_ftp and RELATED flags for ftp. (I also allow use ip_local_port_range to reduce the ephemeral port range and accept ftp only from a small range of addresses.) I do feel more comfortable about a firewall if it did not have to protect an ftp server. A less schizophrenic protocol such as http requires a single pair of src/dst ip/port. I can trust the state established by that protocol more than that of ftp by several orders of magnitude. -Vince
Perhaps things would be better if everyone used stateless and lower overhead file transfer protocols like rsync. It doesn't have ugly port usage like FTP protocol and it saves bandwidth too.
Warren
