> > 2) dynamic FTP-data connection rules. (attached file patch.ipchains.gz NOT
> > necessary for this!!! I repeat it!)
> > It is now possible to block _everything_ except for connections to port
> > 21@ftp-server, the necessary data-connections are allowed through 'on
> > demand', i.e. the code scans for the ftp PORT-command and creates a
> > dynamic rule that allows the data connection in. This rule times out like
> > masquerading rules.
>
> Nice :-)
>
> [...]
> > Packets are tested against ftp-data rules before all others. Tested are
> > only: src/dst IP and port and protocol. Those 5 values describe exactly
> > one connection, always and everywhere, and we already know we want to let
> > it through.
>
> Request: can we drop the "Packets are tested against ftp-data rules
> before all others" bit so we can call the ftp-data rule from wherever we
> want to in our rule-set (OK, I'm paranoid ;-)?
Done. But this time I didn't attach 10k... Did I post to too many lists?
No complaints so far, and I still think this subject is relevant for all
of them, but you never know...
The new version of the patch is at
http://www.csn.tu-chemnitz.de/~mha/patch.ftp-data-2.gz
Example of my rules used for testing this time (ipchains-save),
connections from test-host to one test ftp server:
:input ACCEPT
:forward ACCEPT
:output ACCEPT
:ftp-data -
-A input -s 10.0.0.1/255.255.255.255 21:21 -d 10.10.0.5/255.255.255.255 -i
eth1 -p 6 -j ACCEPT ! -y
-A input -s 10.0.0.1/255.255.255.255 20:20 -d 10.10.0.5/255.255.255.255 -i
eth1 -p 6 -j ftp-data
-A input -s 10.0.0.1/255.255.255.255 -d 10.10.0.5/255.255.255.255 -i eth1
-p 6 -j REJECT
-A output -s 10.10.0.5/255.255.255.255 -d 10.0.0.1/255.255.255.255 21:21
-i eth1 -p 6 -j ACCEPT
-A output -s 10.10.0.5/255.255.255.255 -d 10.0.0.1/255.255.255.255 20:20
-i eth1 -p 6 -j ftp-data
-A output -s 10.10.0.5/255.255.255.255 -d 10.0.0.1/255.255.255.255 -i eth1
-p 6 -j REJECT
-- SuSE Linux SuSE GmbH, Nuernberg, Germany http://www.suse.de/Michael Hasenstein http://www.csn.tu-chemnitz.de/~mha/ NAT: http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html Private Pilot (ASEL) since 1998
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/