ip_conntrack_ftp is a kernel module, but I'm not sure if it is on my firewall or not. A person could just check "lsmod" to see if it is loaded or "modprobe ip_conntrack_ftp" to initiate. Where in the kernel options is the support for this module? Under networking perhaps?
Brian Kelsay
Brad <> 04/15/05 10:58AM >>>
Correct me if I'm wrong, but the simple firewall rules posted earlier would effectively break ftp. Wouldn't the unpriviledged ports also be blocked? Wouldn't you need to specifically allow the unpriviledged ports for either active or passive ftp? Wouldn't you need to allow outbound ports also? I don't remember all the rules posted, but I would think that the default rule would be to drop inbound and outbound unused ports.
Brian D.
The default policy for the Output chain is usually ACCEPT, so there is no need to open outbound ports specifically. The ACCEPT statement on the ESTABLISHED,RELATED line will allow connections to the unprivileged ports since they are related to the connection on port 21. I believe ip_conntrack_ftp helps with this.
Brad
On Fri, 2005-04-15 at 12:02 -0500, Brian Kelsay wrote:
ip_conntrack_ftp is a kernel module, but I'm not sure if it is on my firewall or not. A person could just check "lsmod" to see if it is loaded or "modprobe ip_conntrack_ftp" to initiate. Where in the kernel options is the support for this module? Under networking perhaps?
Brian Kelsay
I am not sure on a 2.6 kernel but on 2.4 it was under the netfilter options.
Brad
I am not sure on a 2.6 kernel but on 2.4 it was under the netfilter options.
In 2.6 it's under Device Drivers -> Networking Support -> Networking Options, where you'll find pretty much every netfilter option known to man.
Justin Dugger
On Fri, 15 Apr 2005, Brian Kelsay wrote:
ip_conntrack_ftp is a kernel module, but I'm not sure if it is on my firewall or not. A person could just check "lsmod" to see if it is loaded or "modprobe ip_conntrack_ftp" to initiate. Where in the kernel options is the support for this module? Under networking perhaps?
It's pretty buried in 2.6 -
-> Device Drivers -> Networking support -> Networking support (NET [=y]) -> Networking options -> Network packet filtering (replaces ipchains) (NETFILTER -> IP: Netfilter Configuration
My understanding of the ip_conntrack_ftp module is that it allows ftp connections from masqueraded IPs. In fact, I know that it does this, I don't know what else it might do. It is not necessary if you're ftp-ing with a real internet IP address.
Regards
-Don
-
Brad -
Brian Kelsay -
Don Erickson -
Justin Dugger