Re: Debian 2.6.8/bridge/iptables/passive ftp

NetFilter

Re: Debian 2.6.8/bridge/iptables/passive ftp

To:	spaminator@web.de
Subject:	Re: Debian 2.6.8/bridge/iptables/passive ftp
From:	Martijn Lievaart <m@rtij.nl>
Date:	Wed, 04 Apr 2007 19:37:04 +0200
Cc:	netfilter@lists.netfilter.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
In-reply-to:	<361462969@web.de>
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
References:	<361462969@web.de>
Sender:	netfilter-bounces@lists.netfilter.org
User-agent:	Thunderbird 1.5.0.10 (X11/20070302)

spaminator@web.de wrote:

Rebooting the bridge box left me again with an unloaded ip_conntrack_ftp. So I made an 
entry in /etc/modules which caters for the module to be loaded on (re)boot. Strange thing 
that, because other modules related to iptables are being loaded automatically, although 
they are not compiled into the kernel too. Are there other "surprise"-modules 
that have to be loaded via /etc/modules?

All the ip_conntrack_* modules, so all the connection helpers. You couldload them all, but I only load what I need.

These modules are what account for (most of the) -m state --stateRELATED matches. Related in this case are all the data connections forftp, so you don't need any rule for those data connections.


IOW to make ftp work you need:

- To load ip_conntrack_ftp
- Have a rule that allows ESTABLISHED,RELATED
- Have a rule that allows the initial SYN to port 21.


HTH,
M4

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Debian 2.6.8/bridge/iptables/passive ftp, spaminator Re: Debian 2.6.8/bridge/iptables/passive ftp, Jan Engelhardt Re: Debian 2.6.8/bridge/iptables/passive ftp, Martijn Lievaart <= Re: Debian 2.6.8/bridge/iptables/passive ftp, Pascal Hambourg

Previous by Date:	Re: Debian 2.6.8/bridge/iptables/passive ftp, Jan Engelhardt
Next by Date:	Re: Debian 2.6.8/bridge/iptables/passive ftp, Pascal Hambourg
Previous by Thread:	Re: Debian 2.6.8/bridge/iptables/passive ftp, Jan Engelhardt
Next by Thread:	Re: Debian 2.6.8/bridge/iptables/passive ftp, Pascal Hambourg
Indexes:	[Date] [Thread] [Top] [All Lists]