external passive ftp server and FORWARD chain

[Sanych]

Hi All,

Can anyone tell me what range of ports I have to open in
FORWARD chain to allow access users from my LAN to any external
ftp servers running in passive mode?

Right now users from LAN can only connect to ftp which are not running
passive mode.

thanks

Updated:
I have just figured out that range begins from 1024 :\ port number.
But I don't want to open all ports greater then 1024
what can I do more?

[Dolda2000]

There's nothing you can do, except writing a kernel module that scans all FTP control channels and opens ports dynamically.

The thing is that all ports above 1024 should always be open, since they are supposed to be "custom" ports.

[Sanych]

Thanks for reply.

Then I have another question: if I'll open all port greater then 1024
how I can filter output packets going from my LAN to, for example,
eDonkey or ICQ?

What is the best way to do such kind of thing?
Should I filter packets by fragments?

[Dolda2000]

One way is to filter away those specific ports. AFAIK, ICQ uses port 5190. I don't know what eDonkey uses, though. I think that's the best way to do it. The only other way I can think of is to create a new kernel module that uses some heuristic that tries to recognize those protocols.

[Sanych]

Thank you for your reply!

I've also found port numbers which eDonkey uses.