[Shorewall-users] pasv ftp

Tom Eastep teastep@shorewall.net
Mon, 21 Jan 2002 06:41:45 -0800


On Monday 21 January 2002 02:22 am, Christophe Zwecker wrote:
> On Sat, 2002-01-19 at 14:51, Tom Eastep wrote:
> > On Saturday 19 January 2002 05:36 am, I wrote:
> > > I don't have to open them -- they will be opened dynamically at the
> > > time of the PASV command. This of course assumes ftp connection
> > > tracking in your kernel or that you have loaded the ip_conntrack_ft=
p
> > > module.
> >
> > BTW -- Shorewall automatically loads ip_conntrack_ftp and ip_nat_ftp =
if
> > they exist in the MODULESDIR (usually
> > /lib/modules/`uname -r`/kernel/ipv4/netfilter).
>
> Hm, Ich checked, I have that module loaded but its state (unu
> sed)

That's normal.

>
> As of know I have to leave ports 2000-2100 open, my ftp server uses
> those for pasv connections, Id rather use the ip_conntrack_ftp Option
> tho. Is it of any matter that my ftp server uses a non standard port
> (24562) ??

Er -- just how do you think ip_conntrack_ftp knows that port 24562 is FTP=
=20
unless you tell it?=20

In /etc/modules.conf (or whatever your distro calls it), add:

options ip_nat_ftp ports=3D21,24562
options ip_conntrack_ftp ports 21,24562

And, you will have to unload/reload those two modules.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net