Patrick Nelson wrote: ----------------->>>> Here is the log of the input drop on wget ftp://ftp.rs.internic.net/domain/named.root:
May 24 12:52:35 ns kernel: IN=eth1 OUT= MAC=<mac address> SRC=198.41.0.6 DST=<external nic ip> LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=26231 DF PROTO=TCP SPT=20 DPT=1477 WINDOW=32120 RES=0x00 SYN URGP=0 Now what's weird is I tried to go to passive ftp with the command wget --passive-ftp ftp://ftp.rs.internic.net/domain/named.root and it gets almost half the file downloaded the then I get a log entry: May 24 12:57:25 ns kernel: IN=eth1 OUT= MAC=<mac address> DST=<external nic ip> LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=7106 DF PROTO=TCP SPT=4054 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 Does this show me anything that I should do? I'm feeling like I don't understand state very well because I look at the rules above and it seems that they should allow this to go through. What am I missing? ----------------->>>> Was looking through the script and found that ip_conntrack_ftp was there but when I modprobed for it, well it wasn't there. So I copied it over from the fw mirror and tried it again and the non-passive mode did work like a charm. Working on the passive mode now...
