On Monday 01 April 2002 07:32 pm, you wrote:> Hello !
>
> First of all, a big thanks for the shorewall script ! Works magnificent !
>
> Now a small question... Does the shorewall firewall support active
> connection tracking ?
> A friend of me cannot use active ftp from a PC behind her gateway, and I
> was wondering if recompiling a kernel that supports active connection
> tracking would solve the problem...
>
I''d be very surprised if your kernel doesn''t already have
support for
masquerading active FTP.
Usually vendors include ftp masquerade support in the form of two modules:
ip_conntrack_ftp.o and ip_nat_ftp.o. These modules can normally be found in
the directory:
/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/
Note: the "`"''s are the character at the upper left corner of
your keyboard.
In /etc/shorewall/shorewall.conf is the variable MODULESDIR which may be used
to specify a different directory.
The file /etc/shorewall/modules contains the commands to load those modules
when Shorewall is started.
So the first thing that you should do is run /sbin/lsmod to see if the
modules are already loaded; if they are, then we have a more interesting
problem.
Assuming that the modules aren''t loaded, check to see if the modules
are in
their normal directory as described above.
If the modules ARE there, check /etc/shorewall/shorewall.conf to be sure that
the MODULESDIR variable is empty.
Let us know what you find,
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net