Great, thanks.
I'll let you know how things turn out.
> -----Original Message-----
> From: Mikkel L. Ellertson [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 20, 2001 10:56 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: FTP Through Firewall
>
>
> On Tue, 20 Feb 2001, Tanner, Robby wrote:
>
> > Why is there no MASQing involved?
> >
> Because they are not a complete set of rules - just the ftp rules.
> >
> > I'm not a 100% on those rules. Please verify my
> descriptions below...
> >
> [snip]
> >
> > > A good starting point would "modprobe ip_masq_ftp". Then
> you may want
> > > to make sure you have firewall rules like this:
> > >
> > > IPADDR = <internet address of your firewall>
> > > EXTERNAL_INTERFACE = <interface connected to the internet
> > > eth0, eth1, or
> > > ppp0>
> > > UNPRIVPORTS = "1024:65535"
> > >
> > > # FTP client (21)
> > > # ---------------
> > >
> > > # outgoing request
> > > ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> > > -s $IPADDR $UNPRIVPORTS \
> > > --destination-port 21 -j ACCEPT
> > >
> >
> > Why would I include an output rule? My default is to
> ACCEPT, should I
> > change that?
> >
> That is up to you. My default rule is to deny everything,
> and then add
> in the stuff I want. I feal safer that way.
> >
> > > ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> > > --source-port 21 \
> > > -d $IPADDR $UNPRIVPORTS -j ACCEPT
> >
> > I accept packets on my internet card that are not
> connection requests and
> > are coming from port 21 bound for my internet card anywhere
> in the range
> > 1024:65535 (right?).
> >
> right. These are the responces from the machine you are
> connecting to.
> >
> >
> > > # PORT mode data channel
> > > ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> > > --source-port 20 \
> > > -d $IPADDR $UNPRIVPORTS -j ACCEPT
> >
> > Accept tcp packets (even connection requests?) to my
> internet card, from any
> > server:port 20 that are bound for my internet address
> anywhere in the port
> > range 1024:65535.
> >
> This is the data connection opened on the other end in
> responce to your
> commands to the ftp server.
> >
> > > ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> > > -s $IPADDR $UNPRIVPORTS \
> > > --destination-port 20 -j ACCEPT
> >
> > Send packets out the internet card, that are not connection
> requests from my
> > internet address (1024:65535) bound for port 20.
> >
> The second half of the data channel - your machine talking to the ftp
> server. If you are downloading, this is where you tell the other end
> you recieved the data packet ok, or to resend them. This rule and the
> one above it work as a pair.
> >
> >
> Mikkel
> --
>
> Do not meddle in the affairs of dragons,
> for you are crunchy and taste good with ketchup.
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
