Wednesday, July 22, 2009

SuSE FTP masquerading

For those in the know, enabling masquerading for certain machines & ports in SuSEfirewall2 is relatively straight forward (enable masquerading, allow the address(es) and port in the config file) but this doesn't work for ftp. The reason is because the FTP protocol doesn't just use one channel, but several, and these are decided on the fly. The firewall doesn't know this... but it can if you load 2 firewall modules called ip_conntrack_ftp & ip_nat_ftp modules. You enable these in the FW_LOAD_MODULES option. This will all work if it's a passive ftp connection - if it's active, you may have to enable a wider port range for the required addresses...

No comments: