Re: portfw on iptables 2.4 kernel problem. (oops!)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Joel Newkirk <netfilter@newkirk.us>
To: "Reckhard, Tobias" <tobias.reckhard@secunet.com>,
	netfilter@lists.netfilter.org
Subject: Re: portfw on iptables 2.4 kernel problem. (oops!)
Date: Wed, 11 Dec 2002 03:18:46 -0500	[thread overview]
Message-ID: <200212110318.46343.netfilter@newkirk.us> (raw)
In-Reply-To: <200212110305.48030.netfilter@newkirk.us>

On Wednesday 11 December 2002 03:05 am, Joel Newkirk wrote:

> This wouldn't work at all.  INPUT shouldn't enter into it at all,
> unless the DNAT fails, and OUTPUT only if a packet is required to
> leave the firewall machine itself, IE if that is where the connection
> is attempted from or to.  Also, for the FTP conntrack helper to work
> you HAVE to allow state RELATED.  FTP will open a control connection
> to port 21, then a request for data will (in passive) cause the server
> to attempt to open a connection BACK to the client's port 20, IE. 
> This is RELATED, in a nutshell.  The FTP helper is required because
> the control packets will embed IP and port data inside the packet
> itself, rather than its header, and without the helper netfilter will
> only handle the header.

Sorry, I got this slightly wrong.  The server will open a connection back 
to the client FROM its own port 20, to a port specified in the request 
from the client.

j

next prev parent reply	other threads:[~2002-12-11  8:18 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-12-11  7:32 portfw on iptables 2.4 kernel problem Reckhard, Tobias
2002-12-11  8:05 ` Joel Newkirk
2002-12-11  8:18   ` Joel Newkirk [this message]
2002-12-11  8:15 ` Tangent to: " Joel Newkirk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200212110318.46343.netfilter@newkirk.us \
    --to=netfilter@newkirk.us \
    --cc=netfilter@lists.netfilter.org \
    --cc=tobias.reckhard@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.