[Firehol-support] RST, ACK, SYN, FTP

[Goetz Bock]

Hi Jernej,

I take the discussion back to the list, and hope you're subscribed

> Due to security reasons I dont allow modules in the kernel. So
> ip_conntrack_ftp in built into the kernel itself. The thing is also that
> this machines have public IPs and are not doing any NAT service at all, so
> there shouldnt be any problems with that.
ip_conntrack_$foo has nothing to do with NAT. That's what the
ip_nat_$bar modules are for.

> As I understand that, I would say "server ftp access" opens port 21 and 20
> for all packets except INVALID ones, but as it seems, it does not.

Firehol builds a statefull firewall. For "server FTP accept" this means:
                                                     ^^^^^^
open incomming port 20 (from client ports)
load the conntrack_ftp module.
allow related connections to port 21 and outgoing connections from port
21

The conntrack_ftp module does the magic of detecting which connection is 
"related".
-- 
/"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
\ /       (c) 2006 Creative Commons, Attribution-ShareAlike 2.0 de
 X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
/ \  [ 3. Reply to the list - 4. Read the archive *before* you post ]