> > resolve this problem? Something like a "smart" firewall, that records FTP
> > connections and only allows port 20 connections from already previously
> > established FTP connections.
>
> Maybe I missed something, but the module ip_masq_ftp.o does exactly
> this.
The ip_masq_ftp module handles the masquerading issues which are
associated with active-mode FTP. However, it doesn't do anything about
any input firewall rules.
> I am able to ftp from masqueraded workstations to outside ftp sites
> without setting PASV mode.
Then your firewall is less secure than it would be if it only
supported passive mode.
In short: active-mode FTP sucks. It requires that inbound TCP
connections be accepted. Passive mode FTP simply requires that
outbound TCP connections are permitted.
-- Glynn Clements <glynn@sensei.co.uk> - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu