On 12/09/2004 Mike Mestnik wrote: > > i still didn't get the point. you claim, that the module doesn't > > understand the -ports option? > > or do you mean that ip_conntrack_ftp has problems with handling more > > than one IP-addresses, as i have 2? > > Ohh wait, I could be wrong here. I guess it's only for nating that you > need to care about direction??? The problem as I see it is that the PORT > cmd is only expected to come from the client end. It ONLY dose. However > when your mangeling you care wather it's inbound(DNAT) or outbound(SNAT). > Would for an open port you care for the same reasons?
i don't use NAT by any meaning, as far as i know. so the only goal i want to achieve, is to open the ports for my ftp servers on ports 210, 215, 220, ... for _all_ traffic that could be produced by valid connections. > Yes, I think you need to have code for each case. You need to have code > for firewalling a client and then some other code for the server. AFAICT > only clients are handeled in the currrent code, not servers. sorry, but why do i need to firewall a client. i'm talking about my ftp server, and this one has installed a firewall. i don't get the point. > > sorry for confusion, in firehol services have some configuration, and > > thus you can only open/close configured services. simply using > > portranges doesn't work. > > Lookes like a whishlist bug to me. I'd "dpkg --purge" it if I wasen't > able to open ports with it. as firehol is very smart and the non-common ftp ports are the only exception, i'm quite happy with it. bye jonas
