[Shorewall-users] pasv ftp

Christophe Zwecker doc@zwecker.de
21 Jan 2002 11:22:00 +0100


On Sat, 2002-01-19 at 14:51, Tom Eastep wrote:
> On Saturday 19 January 2002 05:36 am, I wrote:
> 
> >
> > I don't have to open them -- they will be opened dynamically at the time of
> > the PASV command. This of course assumes ftp connection tracking in your
> > kernel or that you have loaded the ip_conntrack_ftp module.
> >
> 
> BTW -- Shorewall automatically loads ip_conntrack_ftp and ip_nat_ftp if they 
> exist in the MODULESDIR (usually 
> /lib/modules/`uname -r`/kernel/ipv4/netfilter).

Hm, Ich checked, I have that module loaded but its state (unu
sed)

As of know I have to leave ports 2000-2100 open, my ftp server uses
those for pasv connections, Id rather use the ip_conntrack_ftp Option
tho. Is it of any matter that my ftp server uses a non standard port
(24562) ??

Here a list of my modules:
ip_nat_irc              3264   0  (unused)
ip_nat_ftp              3936   0  (unused)
ip_conntrack_irc        3488   0  (unused)
ip_conntrack_ftp        4576   0  (unused)
ipt_TOS                 1536  14  (autoclean)
ipt_MASQUERADE          2112   1  (autoclean)
ipt_REJECT              3552   2  (autoclean)
ipt_LOG                 4960  13  (autoclean)
ipt_limit               1600  12  (autoclean)
iptable_mangle          2496   0  (autoclean) (unused)
iptable_nat            17524   2  (autoclean) [ip_nat_irc ip_nat_ftp
ipt_MASQUERADE]
ipt_state               1088  37  (autoclean)
ip_conntrack           20268   5  (autoclean) [ip_nat_irc ip_nat_ftp
ip_conntrack_irc ip_conntrack_ftp ipt_MASQUERADE iptable_nat ipt_state]
iptable_filter          2400   0  (autoclean) (unused)
ip_tables              13440  13  [ipt_mark ipt_MARK ipt_TOS
ipt_MASQUERADE ipt_REJECT ipt_LOG ipt_limit iptable_mangle iptable_nat
ipt_state iptable_filter]