Hi Filip! Thank you for the quick answer!
> My guess is that there is something happening with active/passive > ftp. I guess your Linux friends' ftp clients are trying active/normal > ftp, and the Windows friends are using passive ftp. We (and him with his other friends) had already tried active/passive FTP before I upgraded to a later kernel/iptables - version in may, which actually solved the problem for port 21. I thought I wouldn't have to mention that, because trying both active and passive is as basic as checking the power when the computer doesn't switch on.... I had no problems with other FTP-servers, only that w2k-box behind the internet in combination with a linux/iptables-router and any windows/linux based FTP client on my side of the internet. I'd almost thought that maybe Mr. Gates had built some special 'features' into his FTP-stuff to make it a bit harder for linux.... ;-) > A network strace should reveal more. Oh, and make sure those Linux > guys have both ip_conntrack_ftp and ip_nat_ftp loaded/compiled in ! I will post the strace-results the next time I have a chance to produce them. (My friend is seldom at home and I will have to ask him to start his FTP-server, which is currently not running.) I'll pass the tip to load the required modules to the other 'linux-firewallers', though I think they had done this, anyway. On my opinion the most important thing to do is to replace the original SuSE-Kernel with 2.4.18 and to install iptables >= 1.2.7-20020503 to make FTP clients able to access this w2k FTP server at all, even trough port 21. Maybe it would be of use for some admins/users, if the ports on which to check for FTP connection tracking could be configured dynamically (for example via iptables) instead of passing this as parameters to the module? What happens to existing connections, if I reload the module with different parameters? (I just had this idea to maintain a list of ports collected from something like /home/user/.remote-ftp-ports, and to reload the module with corresponding parameters every time this list changes...) Regards, Philipp
