Slacksite.com
About Slacksite Contact Us Discussion Search Legal Info About Slacksite

Home

Apache Documents 

Solaris Documents 

Solaris TechNotes 

Linux Documents 

Other Technical Docs 

Humour 

Logos 



Active FTP vs. Passive FTP, Appendix 2


Introduction

This appendix will describe some methods for configuring popular firewalls to support FTP communications. Most of these configuration guides/tips are user-provided and I am unable to test all of these recommendations. As always, be sure to do extensive research before implemetning any of the recommendations here!


Linux IPTables

When using IPTables, you can use the state match along with ftp conntrack helperrelated FTP traffic--in this case the data. What this means is that you only need to open port 21 specifically. The random data port will be automatically opened with the following rules (being sure to insert the FTP connection tracker helper module):

modprobe ip_conntrack_ftp
iptables -A INPUT -i $WAN_IF -p tcp -m state --state NEW -dport 21 -j ACCEPT
iptables -A INPUT -i $WAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

In the event any malicious traffic comes in on the same port as an ongoing FTP data connection, that traffic will get dropped as it is not related to the FTP data connection.