All you hardcore bitheads out there, this is one for you. I recently
changed my firewall from a hard drive resident one to floppyfw. The
floppyfw has a different set of ipchains rules. But when my wife
couldn't upload some files to our website, I started poking around. I
found I could do passive ftp, but not active ftp. Seems I've always been
able to do it in the past. But from looking at the firewall rules,
nothing relevant was being blocked that I could see, _except_ this:
ipchains -A input -p TCP -y -j DENY -d <isp gateway machine>
On the surface, this doesn't look like it would affect anything.
However, according to the firewall script comments, this has something
to do with "stealth". According to the ipchains man page, the -y flag
says that it only matches TCP packets with the SYN bit set and the ACK
and FIN bits cleared. Such packets are used to initiate TCP connections.
I set my wife's ftp connection to passive, and all went okay.
But my question is, would denying packets like this prevent an "active"
ftp session from occurring? If so, how?
Paul
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:12:42 EDT