-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2017-12-05 14:38, Paolo wrote:
> 
> FTP is always "special"  ... :-)
> 
> [...]
> 
> What am I missing?
> 
> I don't think it matters, but the natted FTP server is a CentOS 7.x
> with ProFTPd.

http://www.proftpd.org/docs/howto/NAT.html

You have to tell your ftp server which passive ports should be used.

You have to open (forward) all of these ports because you cannot know
which port will be selected for the specific connection. Helpers like
ip_conntrack_ftp don't support encryption.

It is enough to open only port 21 + ( 2 additional passive ports) *
parallel connections. I.e. if you only need to support 5 concurrent
FTP connections, set "PassivePorts 60000 60010" and open/forward port
21 and 60000-60010. But keep in mind: If you get 6 or more concurrent
connections, these connection will fail without a user friendly error
message. So either allow more connections to be sure and/or enforce
user limits in addition.


- -- 
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQKTBAEBCgB9FiEEM8WEgsQCKS0uPFwGlwn5DDyW/8gFAlonWchfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMz
QzU4NDgyQzQwMjI5MkQyRTNDNUMwNjk3MDlGOTBDM0M5NkZGQzgACgkQlwn5DDyW
/8hKbxAAoibuaH7XDATL3IVBldMaJZBVVwZ+qcJ16eN7Q0Hxp4UJEsp1j353hfaP
og28lIujIbxZ+grjluYMLFrsEcm0lvtcz/97yBiNhQDPLYCYv2XzT+2BV/w/GzJr
gDmMxyAMWyL15tM0d3nWTdO20oWlYXc20Do6rUbTec5lu3lfwwiPUNl6qCCq6r38
qdoyIGAQJ1jAZ9WedM4Xg90RjKf/iMFotnhK4zf/I3k9GX8CfWUM7Khn8tChU4SD
8Jph4v/CwTwOGsXzi6LGjNawE4c3jNyr1ETdsX6YJOgTemlPVEVDCItcsJaxQCDr
Poq040B34nuibreTo74VFZJ5xG/0sRDFi+rj3CLodsCLpWRrKID7Tof2Qevw4uss
ctR9JT81E6M9WObxYGZevMJ5MSPmphkWde0lVSI++68ZisX4z36njljQMh+Joahk
V3es7X6uQk57FiLN31oowl561J04bh5IHNiNJ0Wk4rnXIdbwIsVmDggaisB4AaX5
ZVSczl2L3QLtkMe2s2Crn2+08f0z8dpC5PmrSgoxMZGfmrTeqCZt01QoUymIxCrH
KSL6YHJ2KAXlYfuKn7tQv1jFNkk6UxERTtgIT88UMIVH74ejS+hE40JdzO4gB5dp
l+tETH8cLHPZ9GTDVQ8/prgC85m8QYEo6WMWiJdq71k+TQkKeVY=
=LRH2
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to