Related (to what?)
Norbert Veber
nveber@primusolutions.net
Thu, 5 Jul 2001 10:03:12 -0400
On Thu, Jul 05, 2001 at 02:19:45AM -0300, Harald Welte wrote:
> On Sat, Jun 30, 2001 at 02:28:09PM -0400, Norbert Veber wrote:
> > Hi,
> >
> > I am trying to figure out the iptables syntax to match connections related
> > to an ftp connection ONLY.
>
> there is no such syntax. The connection tracking module lives independent
> from iptables, and all information exposed is just the state.
I didnt think it could be done, but I wasnt 100% sure..
> However, usually ftp data connections originate from port 20 on the ftp
> server (at least for active ftp) so you could do something like established
> and source (or destination) port == 20.
Yeah, as I mentioned in my original message, I'm alarady doing that for
ftp-data, and www. But if someone doesnt want to have their download speed
limited, they can just switch to passive ftp, and eat up the entire
connection.
>
> This kind of feature might be possible in some future, it is a by-product
> of some other netfilter stuff i'm working on right now.
Ahh, great. I think that would be a useful feature to have. Right now, I
can live with matching all outgoing RELATED traffic, because I only have
ip_conntrack_ftp loaded. I was planning to use some others though when they
become available in the mainstream kernel..
Thanks,
Norbert