> really 2 patches:
> 1) added numbering of ipchain rules [snip]
Thank you :-)
> 2) dynamic FTP-data connection rules. (attached file patch.ipchains.gz NOT
> necessary for this!!! I repeat it!)
> It is now possible to block _everything_ except for connections to port
> 21@ftp-server, the necessary data-connections are allowed through 'on
> demand', i.e. the code scans for the ftp PORT-command and creates a
> dynamic rule that allows the data connection in. This rule times out like
> masquerading rules.
Nice :-)
[...]
> Packets are tested against ftp-data rules before all others. Tested are
> only: src/dst IP and port and protocol. Those 5 values describe exactly
> one connection, always and everywhere, and we already know we want to let
> it through.
Request: can we drop the "Packets are tested against ftp-data rules
before all others" bit so we can call the ftp-data rule from wherever we
want to in our rule-set (OK, I'm paranoid ;-)?
Thanks,
Neale.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/