[Shorewall-users] Re: Shorewall

Tom Eastep teastep@shorewall.net
Tue, 2 Apr 2002 05:29:58 -0800

On Monday 01 April 2002 07:32 pm, you wrote:
> Hello !
> First of all, a big thanks for the shorewall script ! Works magnificent !
> Now a small question... Does the shorewall firewall support active
> connection tracking ?
> A friend of me cannot use active ftp from a PC behind her gateway, and I
> was wondering if recompiling a kernel that supports active connection
> tracking would solve the problem...

I'd be very surprised if your kernel doesn't already have support for 
masquerading active FTP.

Usually vendors include ftp masquerade support in the form of two modules: 
ip_conntrack_ftp.o and ip_nat_ftp.o. These modules can normally be found in 
the directory:

/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/

Note: the "`"'s are the character at the upper left corner of your keyboard.

In /etc/shorewall/shorewall.conf is the variable MODULESDIR which may be used 
to specify a different directory. 

The file /etc/shorewall/modules contains the commands to load those modules 
when Shorewall is started. 

So the first thing that you should do is run /sbin/lsmod to see if the 
modules are already loaded; if they are, then we have a more interesting 

Assuming that the modules aren't loaded, check to see if the modules are in 
their normal directory as described above. 

If the modules ARE there, check /etc/shorewall/shorewall.conf to be sure that 
the MODULESDIR variable is empty.

Let us know what you find,
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net