Thursday, September 01, 2005

Re: rules for FTP access

On Thu, Sep 01, 2005 at 01:15:54PM +0200, Ansgar -59cobalt- Wiechers wrote:
> Wrong. Port 20/tcp on the server is *only* needed for *active* FTP (and
> would then have to be a --sport anyway, since the server initiates the
> data connection). Passive FTP uses TCP ports above 1023 for the data
> connection, which is initiated by the client. However, with connection
> tracking enabled, you only need to allow 21/tcp for either active and
> passive FTP, since the data connection will be RELATED to the already
> ESTABLISHED control connection.

I stand corrected. I somehow assumed that outbound connections would be
allowed to any port. But that doesn't make sense and was quite ignorant
to everything written in the this thread, sorry.

--
Stephan

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment