On Mon, Aug 13, 2001 at 12:59:58AM -0400, Paul M Foster wrote:
> found I could do passive ftp, but not active ftp. Seems I've always been
> able to do it in the past. But from looking at the firewall rules,
> nothing relevant was being blocked that I could see, _except_ this:
>
> ipchains -A input -p TCP -y -j DENY -d <isp gateway machine>
>
> [ snip ]
>
> I set my wife's ftp connection to passive, and all went okay.
>
> But my question is, would denying packets like this prevent an "active"
> ftp session from occurring? If so, how?
Active ftp sessions involve the ftp server connecting back to your
machine on a certain port to send data streams (like the output of
'ls' or 'get'). The -y flag to ipchains blocks this connection attempt.
With passive ftp, the ftp server tells your client which port it
is listening on with the data stream and the client connects to it.
Since -y only drops connection-initiating packets, the packets that
are part of an existing connection are allowed through.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:12:54 EDT