[Firehol-support] RST, ACK, SYN, FTP
bock at blacknet.de
Mon Apr 24 08:06:11 BST 2006
I take the discussion back to the list, and hope you're subscribed
> Due to security reasons I dont allow modules in the kernel. So
> ip_conntrack_ftp in built into the kernel itself. The thing is also that
> this machines have public IPs and are not doing any NAT service at all, so
> there shouldnt be any problems with that.
ip_conntrack_$foo has nothing to do with NAT. That's what the
ip_nat_$bar modules are for.
> As I understand that, I would say "server ftp access" opens port 21 and 20
> for all packets except INVALID ones, but as it seems, it does not.
Firehol builds a statefull firewall. For "server FTP accept" this means:
open incomming port 20 (from client ports)
load the conntrack_ftp module.
allow related connections to port 21 and outgoing connections from port
The conntrack_ftp module does the magic of detecting which connection is
/"\ Goetz Bock at blacknet dot de -- secure mobile Linux everNETting
\ / (c) 2006 Creative Commons, Attribution-ShareAlike 2.0 de
X [ 1. Use descriptive subjects - 2. Edit a reply for brevity - ]
/ \ [ 3. Reply to the list - 4. Read the archive *before* you post ]
More information about the Firehol-support