Request for help: Debian firewall, and maybe some
kernelupgradetips
Brian Kelsay
Brian.Kelsay at kcc.usda.gov
Fri Apr 15 12:02:46 CDT 2005
ip_conntrack_ftp is a kernel module, but I'm not sure if it is on my firewall or not. A person could just check "lsmod" to see if it is loaded or "modprobe ip_conntrack_ftp" to initiate. Where in the kernel options is the support for this module? Under networking perhaps?
Brian Kelsay
>>> Brad <> 04/15/05 10:58AM >>>
> Correct me if I'm wrong, but the simple firewall rules
> posted earlier would effectively break ftp. Wouldn't
> the unpriviledged ports also be blocked? Wouldn't you
> need to specifically allow the unpriviledged ports for
> either active or passive ftp? Wouldn't you need to
> allow outbound ports also? I don't remember all the
> rules posted, but I would think that the default rule
> would be to drop inbound and outbound unused ports.
>
> Brian D.
The default policy for the Output chain is usually ACCEPT, so there is
no need to open outbound ports specifically. The ACCEPT statement on
the ESTABLISHED,RELATED line will allow connections to the unprivileged
ports since they are related to the connection on port 21. I believe
ip_conntrack_ftp helps with this.
Brad
More information about the Kclug
mailing list