From 9bc8b977ea089d37328600c45348830bca086fc2 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 17 Sep 2007 18:10:14 +0000 Subject: [PATCH] Make FTP article more foolproof git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7354 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/FTP.xml | 38 ++++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/docs/FTP.xml b/docs/FTP.xml index c9275b2c0..3619da616 100644 --- a/docs/FTP.xml +++ b/docs/FTP.xml @@ -41,9 +41,9 @@ - This article applies to Shorewall 3.0 and + This article applies to Shorewall 4.0 and later. If you are running a version of Shorewall earlier than Shorewall - 3.0.0 then please see the documentation for that + 4.0.0 then please see the documentation for that release. @@ -188,7 +188,7 @@ ftp> that the modules ip_conntrack_ftp and ip_nat_ftp need to be loaded. Shorewall automatically loads these helper modules from - /lib/modules/<kernel-version>/kernel/net/ipv4/netfilter/ + /lib/modules/<kernel-version>/kernel/net/netfilter/ and you can determine if they are loaded using the lsmod command. The <kernel-version> may be obtained by typing @@ -196,13 +196,11 @@ ftp> uname -r - Note: If you are running kernel 3.6.20 or later, then the module - names are nf_nat_ftp and nf_conntrack_ftp and they are normally loaded + Note: If you are running kernel 3.6.19 or earlier, then the module + names are ip_nat_ftp and ip_conntrack_ftp and they are normally loaded from - /lib/modules/<kernel-version>/kernel/net/netfilter/. - Shorewall version 3.2.10 or later is required if you wish these modules - to be loaded automatically by Shorewall. + /lib/modules/<kernel-version>/kernel/net/ipv4/netfilter/. @@ -294,12 +292,12 @@ xt_tcpudp 3328 0 FTP on Non-standard Ports - If you are running kernel 2.6.20 or - later, replace ip_conntrack_ftp with nf_conntrack_ftp in the following instructions. - Similarly, replace ip_nat_ftp with - nf_nat_ftp. + If you are running kernel 2.6.19 or + earlier, replace nf_conntrack_ftp with ip_conntrack_ftp in the following instructions. + Similarly, replace nf_nat_ftp with + ip_nat_ftp. The above discussion about commands and responses makes it clear @@ -318,8 +316,8 @@ xt_tcpudp 3328 0 access a server on the internet that listens on that port then you would have: - loadmodule ip_conntrack_ftp ports=21,49 -loadmodule ip_nat_ftp ports=21,49 # NOTE: This is not necessary with kernel 2.6.11 and later! + loadmodule nf_conntrack_ftp ports=21,49 +loadmodule nf_nat_ftp # NOTE: With kernels prior to 2.6.11, you must specify the ports on this line also you MUST include port 21 in the ports list or you may have @@ -330,8 +328,8 @@ loadmodule ip_nat_ftp ports=21,49 # NOTE: This is not necessary with k before Shorewall starts, then you should include the port list in /etc/modules.conf: - options ip_conntrack_ftp ports=21,49 -options ip_nat_ftp ports=21,49 # NOTE: This is not necessary with kernel 2.6.11 and later! + options nf_conntrack_ftp ports=21,49 +options nf_nat_ftp Once you have made these changes to /etc/shorewall/modules @@ -341,7 +339,7 @@ options ip_nat_ftp ports=21,49 # NOTE: This is not necessary with kern Unload the modules and restart shorewall: - rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart + rmmod nf_nat_ftp; rmmod nf_conntrack_ftp; shorewall restart