[Shorewall-users] Re: Shorewall
Tue, 2 Apr 2002 05:29:58 -0800
On Monday 01 April 2002 07:32 pm, you wrote:
> Hello !
> First of all, a big thanks for the shorewall script ! Works magnificent !
> Now a small question... Does the shorewall firewall support active
> connection tracking ?
> A friend of me cannot use active ftp from a PC behind her gateway, and I
> was wondering if recompiling a kernel that supports active connection
> tracking would solve the problem...
I'd be very surprised if your kernel doesn't already have support for
masquerading active FTP.
Usually vendors include ftp masquerade support in the form of two modules:
ip_conntrack_ftp.o and ip_nat_ftp.o. These modules can normally be found in
Note: the "`"'s are the character at the upper left corner of your keyboard.
In /etc/shorewall/shorewall.conf is the variable MODULESDIR which may be used
to specify a different directory.
The file /etc/shorewall/modules contains the commands to load those modules
when Shorewall is started.
So the first thing that you should do is run /sbin/lsmod to see if the
modules are already loaded; if they are, then we have a more interesting
Assuming that the modules aren't loaded, check to see if the modules are in
their normal directory as described above.
If the modules ARE there, check /etc/shorewall/shorewall.conf to be sure that
the MODULESDIR variable is empty.
Let us know what you find,
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ firstname.lastname@example.org