[Shorewall-users] my problem with runing a passive FTP server in DMZ

Tom Eastep teastep at shorewall.net
Tue Jun 17 23:52:22 PDT 2003


On Tue, 2003-06-17 at 07:02, Tom Eastep wrote:

> 
> I told you the first time and I'll tell you only once more -- DO NOT
> SPECIFY A MASQUERADE IP ADDRESS TO YOUR FTP SERVER.

I apologize if it wasn't you that I made this point to recently.

FTP servers permit specifying the external IP address of the firewall to
compensate for broken/stupid firewall's that don't handle FTP as well as
Netfilter does. With Netfilter, using this FTP server facility actually
breaks the firewall's handling of FTP.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep at shorewall.net



More information about the Shorewall-users mailing list