Hello All! This is my first posting in the list, so please tell me, if I did anything wrong. ;-)
A while ago a friend of mine put up an FTP-server behind a non-linux-firewall under w2k. Not that I appreciate that, but he is not into linux and he does what he likes to, anyway. The problem was (and he always used to tease me with that), that none of his linux-friends sitting behind a linux-router (using NAT) could reach his ftp-box further than logging in while anyone else could use it completely. After installing kernel 2.4.18 and iptables 1.2.7-20020503 I was the only linux-guy known to him who could reach his FTP-box. Then he put the FTP-Service on a different port and I couldn't ftp to his box, anymore, but non-linx-guys still could. The solution I now found here (modprobe ip_conntrack_ftp ports=21,xxxx modprobe ip_nat_ftp ports=21,xxxx) is good for a start, but not really satisfying, because you explicitly have to enter all ports that any user behind the firewall (in my case only my wife and me, but we're not the only linux-users on this planet ;-) ) may ftp to. This is in contrast to my whish to create a flexible powerful router/firewall with the least possible administration effort. To me it seems, that the simplest and the most brutal way to do it would be as follows: #define MAX_PORTS 0xffff ... for (int i=0; i<0xffff; i++) ports[i]=i; (Alternatively I could find the place, where ports[0..x] is being checked against a port and kick that out...) But somehow I have this feeling, that this would make my box *really* slow, and that this is not, what the creators of netfilter thought of... Have you got any suggestions? Thanks in advance, Philipp Klostermann
