[Shorewall-users] Re: Shorewall

Tom Eastep teastep@shorewall.net
Tue, 2 Apr 2002 05:29:58 -0800


On Monday 01 April 2002 07:32 pm, you wrote:
> Hello !
>
> First of all, a big thanks for the shorewall script ! Works magnificent !
>
> Now a small question... Does the shorewall firewall support active
> connection tracking ?
> A friend of me cannot use active ftp from a PC behind her gateway, and I
> was wondering if recompiling a kernel that supports active connection
> tracking would solve the problem...
>

I'd be very surprised if your kernel doesn't already have support for 
masquerading active FTP.

Usually vendors include ftp masquerade support in the form of two modules: 
ip_conntrack_ftp.o and ip_nat_ftp.o. These modules can normally be found in 
the directory:

/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/

Note: the "`"'s are the character at the upper left corner of your keyboard.

In /etc/shorewall/shorewall.conf is the variable MODULESDIR which may be used 
to specify a different directory. 

The file /etc/shorewall/modules contains the commands to load those modules 
when Shorewall is started. 

So the first thing that you should do is run /sbin/lsmod to see if the 
modules are already loaded; if they are, then we have a more interesting 
problem. 

Assuming that the modules aren't loaded, check to see if the modules are in 
their normal directory as described above. 

If the modules ARE there, check /etc/shorewall/shorewall.conf to be sure that 
the MODULESDIR variable is empty.

Let us know what you find,
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net