Technical data

3. Base conﬁguration

By this rule it is expressed that all FTP connections coming from the DSL interface (pppoe)

are associated to the conntrack helper.

If the router is not dialing, but e.g. is behind another router (Fritz! box, cable modem,

a.s.o.) the following rules can be used:

PF_PREROUTING_CT_N='1'

PF_PREROUTING_CT_1='tmpl:ftp if:IP_NET_2_DEV:any HELPER:ftp'

It is assumed in the Example, that the connection to the other router is performed over the

interface associated with the second subnet (IP_NET_2_DEV).

Remember that of course an additional conﬁguration of the FORWARD-chain is needed to really

forward the FTP-packets. A typical rule would be

PF_PREROUTING_1='tmpl:ftp any dynamic DNAT:@ftpserver'

assuming that the host running the FTP-server has the name ftpserver.

Example 3: If you like to use active FTP directly from ﬂi4l (perhaps with the help of the ftp

program from the Tools-package) the ﬁrewall has to be prepared, this time in the OUTPUT-chain

by using the array PF_output_CT_%:

PF_OUTPUT_CT_N='1'

PF_OUTPUT_CT_1='tmpl:ftp HELPER:ftp'

This rule is not necessary if FTP_PF_ENABLE_ACTIVE='yes' is used – see the documentation

for the ftp-OPT in the tools-package.

Following is an overview over the existing conntrack-helpers:

Helper Explanation

ftp File Transfer Protocol

h323 H.323 (Voice over IP)

irc Internet Relay Chat

pptp PPTP Masquerading (By the use of this mod-

ule it is possible to run more than one PPTP-

Client behind the ﬂi4l router at the same time.)

sip Session Initiation Protocol

sane SANE Network Procotol

snmp Simple Network Management Protocol

tftp Trivial File Transfer Protocol

Table 3.9.: Available Conntrack Helpers In The Packet Filter

Here is an overview over the variables to conﬁgure:

PF_PREROUTING_CT_ACCEPT_DEF If this variable is set to ‘yes’, default rules are

generated that are necessary for proper functioning of the router. By default, you should

use ‘yes’ here.