* FTP connection without NAT
@ 2008-04-10 1:16 Ming-Ching Tiew
2008-04-10 5:45 ` Jan Engelhardt
0 siblings, 1 reply; 4+ messages in thread
From: Ming-Ching Tiew @ 2008-04-10 1:16 UTC (permalink / raw)
To: netfilter
I have a firewall/router which is setup to do connection
tracking firewalling but does not do NAT. And I would like
to house an FTP server inside the firewalled router.
The firewall is setup to do this :-
1. FORWARD rule policy is DROP.
2. Inside can ACCEPT NEW connection to go to outside.
3. ACCEPT established or related connections.
4. FORWARD tcp port 21 from outside to the
inside FTP server is ACCEPT.
No PREROUTING DNAT and POSTROUTING SNAT,
since the box does not do NAT.
Will the connection tracking modules help in allowing
passive FTP session to get through to the FTP server ?
Any comments ?
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: FTP connection without NAT
2008-04-10 1:16 FTP connection without NAT Ming-Ching Tiew
@ 2008-04-10 5:45 ` Jan Engelhardt
2008-04-10 10:15 ` Ming-Ching Tiew
0 siblings, 1 reply; 4+ messages in thread
From: Jan Engelhardt @ 2008-04-10 5:45 UTC (permalink / raw)
To: Ming-Ching Tiew; +Cc: netfilter
On Thursday 2008-04-10 03:16, Ming-Ching Tiew wrote:
>
>1. FORWARD rule policy is DROP.
>2. Inside can ACCEPT NEW connection to go to outside.
>3. ACCEPT established or related connections.
>4. FORWARD tcp port 21 from outside to the
> inside FTP server is ACCEPT.
>
>Will the connection tracking modules help in allowing
>passive FTP session to get through to the FTP server ?
Make sure nf_conntrack_ftp is loaded so that RELATED can do its job.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: FTP connection without NAT
2008-04-10 5:45 ` Jan Engelhardt
@ 2008-04-10 10:15 ` Ming-Ching Tiew
2008-04-10 21:39 ` Martijn Lievaart
0 siblings, 1 reply; 4+ messages in thread
From: Ming-Ching Tiew @ 2008-04-10 10:15 UTC (permalink / raw)
To: netfilter
Jan Engelhardt wrote:
> On Thursday 2008-04-10 03:16, Ming-Ching Tiew wrote:
>>
>> 1. FORWARD rule policy is DROP.
>> 2. Inside can ACCEPT NEW connection to go to outside.
>> 3. ACCEPT established or related connections.
>> 4. FORWARD tcp port 21 from outside to the
>> inside FTP server is ACCEPT.
>>
>> Will the connection tracking modules help in allowing
>> passive FTP session to get through to the FTP server ?
>
> Make sure nf_conntrack_ftp is loaded so that RELATED can do its job.
Is it necessary to specify the ftp port if it is not port 21 ?
Regards.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: FTP connection without NAT
2008-04-10 10:15 ` Ming-Ching Tiew
@ 2008-04-10 21:39 ` Martijn Lievaart
0 siblings, 0 replies; 4+ messages in thread
From: Martijn Lievaart @ 2008-04-10 21:39 UTC (permalink / raw)
To: Ming-Ching Tiew; +Cc: netfilter
Ming-Ching Tiew wrote:
> Jan Engelhardt wrote:
>
>> On Thursday 2008-04-10 03:16, Ming-Ching Tiew wrote:
>>
>>> 1. FORWARD rule policy is DROP.
>>> 2. Inside can ACCEPT NEW connection to go to outside.
>>> 3. ACCEPT established or related connections.
>>> 4. FORWARD tcp port 21 from outside to the
>>> inside FTP server is ACCEPT.
>>>
>>> Will the connection tracking modules help in allowing
>>> passive FTP session to get through to the FTP server ?
>>>
>> Make sure nf_conntrack_ftp is loaded so that RELATED can do its job.
>>
>
> Is it necessary to specify the ftp port if it is not port 21 ?
>
Sadly, yes.
M4
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-04-10 21:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-04-10 1:16 FTP connection without NAT Ming-Ching Tiew
2008-04-10 5:45 ` Jan Engelhardt
2008-04-10 10:15 ` Ming-Ching Tiew
2008-04-10 21:39 ` Martijn Lievaart
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox