On Tue, 2004-08-17 at 08:06, John L Fjellstad wrote: > Eric Gaumer <[EMAIL PROTECTED]> writes: > > > Then you have a bunch of high end ports open. Connection tracking > > doesn't work with active FTP because it is a server initiated > > connection. > > Check out the iptables documentation page. > "RELATED > > A packet which is related to, but not part of, an existing > connection, such as an ICMP error, or (with the FTP module > inserted), a packet establishing an ftp data connection." > > This is in connection with the state option for iptables. Active ftp > works with connection tracking, and I've tried it. > > > That's one of the main reasons passive exists. If the server > > picks a port at random, then there is no way the client can anticipate > > what port to open. > > passive exists because of some firewall (like the older ipchains) didn't > have connection tracking. >
Nevermind, I'm an idiot... I never knew the ip_nat_ftp module existed. Once I inserted this things started working with active FTP. Man you can't believe how much time I spent fooling around with this. I just assumed active didn't work on a nat'ed gateway. Thanks for the enlightenment.
signature.asc
Description: This is a digitally signed message part
