[Sheflug] FTP server firewall problem

["Bill Best" <bill [at] xxxxxxxxxxxxxxx>]

> My understanding of active FTP, so far, is that the client initiates a
> control connection to the server's port 21 from a high port.  The server
> replies to a high port on the client machine from port 20 - this is the
data
> connection.
>
> I would have thought that the following two rules would have sorted it:
>
> -A RH-Lokkit-0-50-INPUT -p tcp --dport 20:21 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

A little more detail.

I can connect to this box in passive FTP mode from a
not-very-well-firewalled 'doze machine.  I cannot connect to the new ftp
server from a fairly paranoid linux box but that would be a client-side
issue.

To allow the server to establish a data connection from port 20 to a high
port on the client, I thought that the following rule would help and have
added it to the above two rules:

-A RH-Lokkit-0-50-INPUT -p tcp --sport 20:21 -j ACCEPT

But, of course, it doesn't.

Any ideas?


___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.