On Sat, Apr 13, 2002 at 11:01:19PM +0200, Tony Earnshaw wrote: > > Is it possible with netfilter(iptables), > > to deny forwarding ftp/www connections witch > > have different dport than 21 ? > > Yes. You can deny any access to any port you wish. Almost any protocol > you wish, any source or any destination. > > > Or i can only deny ports? > > No. > > > I wonder about what can conntrack do? > > Conntrack keeps a status of 'state'. I.e., which machines/IP numbers are > doing what at any given time. Protocols, states of connection, IP packet > sequence numbers etc. It has limitations with regard to specific > protocols and data exchange mechanisms, for which specific conntrack > modules are necessary. > > > If it is possible where can i get further info/example? > > Read the docs and man pages for iptables; read all relevant rfcs, read > netfilter and nat HOWTOs at Linuxdoc.org. > > Buy a couple of machines and experiment with them etc. etc. Couple them > to the Internet and experiment with that. > > Read each and every posting to [EMAIL PROTECTED] , whether you > think at first sight it concerns your interests or not. > > Confine yourself solely to the group with questions and answers, unless > you have special friends or relations. > > Seek to improve your English until you're better at it than your own > mother tongue, Hungarian :-) > You must be right about my poor English:) Sorry. I think i did not explain my problem clear.(Or im unable to find sulution in those HOWTOs/manpages) I wish to deny connections to any www/ftp server in my subnet, (becouse it is not allowed to server files from our subnet). But the user there put ftp or www server to another ports, such as telnet or ssh. Since i dont want to deny ssh to the subnet, i cant deny port 22. And a dont want to deny every port. Is there any solution to analyze the content of the package and decide to deny it if it seems to be an ftp/www session? Now we are using Network Flight Recorder, it analyses every conn.
So short the question is if the netfilter can act such as a proxy firewall? Really sorry for my poor English and the missunderstanding/my lack of knowle. Regards, Banai
