> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
As a host based filter i would not use RELATED (and maybe not established)
at all. You should limit FTP-Servers Data-port bind range and allow that,
for the ftp user.
Limit ftp-bounce connections (no outgoing ftp data to a priveledged port)
and then you are fine.
Gruss
Bernd
--
(OO) -- Bernd_Eckenfels@Mörscher_Strasse_8.76185Karlsruhe.de --
( .. ) ecki@{inka.de,linux.de,debian.org}
o--o 1024D/E383CD7E eckes@IRCNet v:+497211603874 f:+49721151516129
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment