On 16/09/2004 Daniel Pittman wrote: > >> This is the old way of doing things, "OUTPUT -p tcp --sport <L-1> -m state > >> --state NEW" should work fine. > > > > does this show the port as open in portscans? > > No, since it is an output rule. Port scanning only concerns INPUT and > FORWARD rules, since it requires a packet coming in.
yea, i got that. thanks for the information. > > so but if firehol takes care off the default ftp port, it should > > consider this, and though already open these ports for passive ftp, > > shouldn't it? daniel, can you tell us? > > Firehol does read the ip_local_port_range sysctl and use that for rules > on the INPUT/OUTPUT chains. It allows almost anything for rules on the > FORWARD chain since it cannot assume anything about the machines it is > acting as an IP forwarder for. > > >>> what i'm wondering about: does firehol do this for port 20 with it's > >>> complex ftp service? > > You can see what it sets up in the file /etc/firehol/firehol, line 878. > > A quick check says that it does take into account both active and > passive FTP, and does use the default local port range. that's cool, so i only need to open the source ports for active ftp, L-1, 209, 214, 219, 224, 229, in my case, not the ports for passive ftp. bye jonas
