From 81ae1bf7f6e1faef6fc20f77359a15833d311ab6 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 31 Aug 2005 14:40:40 +0000 Subject: [PATCH] A little editing git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2603 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/FTP.xml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/Shorewall-docs2/FTP.xml b/Shorewall-docs2/FTP.xml index 8d53df062..74d15bd9c 100644 --- a/Shorewall-docs2/FTP.xml +++ b/Shorewall-docs2/FTP.xml @@ -15,7 +15,7 @@ - 2005-03-03 + 2005-08-31 2003 @@ -38,6 +38,13 @@ + + This article applies to Shorewall 3.0 and + later. If you are running a version of Shorewall earlier than Shorewall + 3.0.0 then please see the documentation for that + release. + +
FTP Protocol @@ -314,7 +321,15 @@ DNAT ACTION = with 20 (ftp-data) in the PORT(S) column. If you post your rules on the mailing list and they show 20 in the PORT(S) column, I will know that you haven't read this article and I will either ignore your post or tell you - to RTFM. + to RTFM. + + Shorewall includes an FTP macro that simplifies creation of FTP + rules. The macro source is in + /usr/share/shorewall/macro.FTP. Using the macro is + the preferred way to generate the rules described above. Here are a couple + of examples. + + Server running behind a Masquerading Gateway Suppose that you run an FTP server on 192.168.1.5 in your local @@ -322,13 +337,13 @@ DNAT ACTION = #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL # PORT(S) DESTINATION -FTP/DNAT net 192.168.1.5 +FTP/DNAT net loc:192.168.1.5 Allow your DMZ FTP access to the Internet #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL # PORT(S) DESTINATION -FTP/ACCEPT dmz net +FTP/ACCEPT dmz net Note that the FTP connection tracking in the kernel cannot handle