Proftpd passive connections
 

I stopped passive connections,they open a too big hole in my firewall 60000:65535 .So to stop it i'm using :
taken from proftpd.org ... but i can't connect anymore to my ftp ... My question is:how much important are passives connnections in ftp,second:can i by connection tracking in iptables do without opening a hole of 55535 ports ??
Thanks.

:tisk:

I don't think i'm asking the world ... (lots of my posts stay to 0 ... )
Anyway i saw passive connections are important for ftp the problem is on the firewall script for a ftp server behind NAT.
On proftpd i have PassivePorts 60000 65534
offcourse that's wrong:
How do i make a prerouting for a range of ports ???
Simple isn't ???

Your firewall rule doesn't tell iptables what to do with packets that match it. So you'll need to add a "if-the-packet-matches-DO-SOMETHING". This *something*, I'm assuming, is DNATing. So here's how the rule should look like:

That's how i' m doing and my ftp doesn't work .... STILL!
Would you give it a try ftp://ftp.gabrix.ath.cx feel free
I missed -j DNAT in the post, not in reality but still ... i would avoid passive connections too many ports to open.
Would be nice a module allowing ftp related connections and who is not, dropped by iptables default.( ??? )

Tried to connect to the link provided, but no go.

Could you provide more details about your setup:
1) There seems to be 2 private network (192.168.0.0 & 192.168.1.0), is this correct?

2) Are you applying the firewall rules at the router?

3) Did you try this?

I have configured proftpd PassivePorts 60000:65534 on the router ports 20 ,21 and 60000:65534 are open (???) the linuxbox has default input DROP and all this ports are allowed in PREROUTING and DNATted to the FORWARDS chain where offcourse are all allowed ... proftpd looks easy ...