[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[suse-security] IPTABLES Rule for Passive FTP
Hi all,
I need to create a rule with IPTABLES which only allows passive FTP. The
following lines accomplishes this:
set IPTABLES = "/usr/sbin/iptables"
# Control Connection
$IPTABLES -A FORWARD -o eth1 -m state --state NEW -p TCP --sport
1024:65535 --dport ftp -j ACCEPT
# Data Connection
$IPTABLES -A FORWARD -o eth1 -m state --state NEW -p TCP --sport
1024:65535 --dport 1024:65535 -j ACCEPT
There are more rules than only the lines above, but they are
intentionally left out.
My problem is, that this open the firewall from internal with source
port >= 1024 and destination port >= 1024 which typicalliy is used only
by passive ftp data connection. This behaviour is by recommendation not
wanted.
Is there a way to accomplish that data connection only be allowed when
FTP control connection has taken place before hand?
Cheers
Knut Erik
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here