On 13/09/2004 Mike Mestnik wrote: > This is the old way of doing things, "OUTPUT -p tcp --sport <L-1> -m state > --state NEW" should work fine.
quoting you, this is what i need to do for every ftp source port for active ftp. > This will requier you to accept any connection to the > ip_local_port_range(/proc/sys/net/ipv4/ip_local_port_range 32768 to 61000) > with "INPUT -p tcp --dport 32768:61000 -m state --state NEW". You can > write to as well as read this file, if you only wish to open lets say > 32768 32800. quoting you, this is what i need to do for passive ftp. what i don't understand is, why do the ports for passive ftp only need to be opened for input data, and the active ftp ports only for output data? source port is only for sending code, so this one can deny incomming connections, but isn't that the same for passive ftp ports? also, aren't the ports for passive ftp different with different ftp servers? do i have to check proftpd for it's individual passive ftp ports, or are the ones in /proc/sys/net/ipv4/ip_local_port_range always common? bye jonas
