[Firehol-support] Extending complex service FTP

Goetz Bock bock at blacknet.de
Tue Dec 16 22:38:53 GMT 2003


On Wed, Dec 17 '03 at 00:12, Costa Tsaousis wrote:
> > I have http running on M1 and ftp on M2. My ftp server is setup to
> > listen on ports 2500:2520 (one port for each virtual ftp domain).
>
> The FTP service needs an FTP conntrack module, which allows the random
> socket connection made for the data transfer by the FTP server/client,
> to be matched as RELATED to the initial request. I don't think that this
> module will understand ports 2500:2520 as FTP requests, and therefore it
> will not allow either active or passive data connections RELATED to
> these ports.

Actually it can be made to:

user at box ~$ modinfo /lib/modules/2.4.23/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
filename: /lib/modules/2.4.23/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
description: <none>
author:      <none>
license:     "GPL"
parm:        ports int array (min = 1, max = 8)
parm:        loose int
user at box ~$

so it looks like you can specify up to 8 ports where the module will try
to conntrack ftp connections. By default 21 will be used.

(You can only get 8 ports, as you can only load the module once)
-- 
Goetz Bock       (c) 2003 as     blacknet.de - Munich - Germany   /"\
IT Consultant    GNU FDL 1.1    secure mobile Linux everNETting   \ /
                                                                   X
 ASCII Ribbon Campaign against HTML email & microsoft attachments / \




More information about the Firehol-support mailing list