--- Brad wrote:

The default policy for the Output chain is usually ACCEPT, so there is no need to open outbound ports specifically. The ACCEPT statement on the ESTABLISHED,RELATED line will allow connections to the unprivileged ports since they are related to the connection on port 21. I believe ip_conntrack_ftp helps with this.

Right, I wnet back and looked at Chris's post. I thought he set in and out to default to drop. Which he didn't. Thanks for clarifying the ESTABLISHED,RELATED context. I've wondered about that before. So you can that way on a server, not open the unpriviledged ports globally, but allow each connection to open those ports. That's much better.

Brian D.

__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com