>So is there a way I can have the firewall detect that *I* am
>requesting an FTP session and then automatically open up the port
>I'm FTPing to for 2-way traffic?
What's the benefit of ftp'ing to a non-standard port?
Here's the ftp client section of my ipchains script:
# FTP client (21)
# ---------------
# outgoing request
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 21 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
--destination-port 20 -j ACCEPT
# PASSIVE mode data channel creation
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
Where:
EXTERNAL_INTERFACE="eth0" # Internet connected interface
IPADDR="xx.xx.xx.xx" # your IP address
UNPRIVPORTS="1024:65535" # unprivileged port range
--
Thought for the day:
<http://mysite.directlink.net/matthews/smiles/started.htm>