allow ftp from lan through ipchains / ip_nat_ftp ?

I want to let winbox users ftp through my redhat 7.1 box to the world.
I'm using the rcf package to manage my ipchains-based firewall.
The ipchains -L -n --line-numbers only shows two rules for
the forward chain, and the first one is
1 MASQ all -------- 42.0.0.0/24 0.0.0.0/0 n/a
But I get a REJECT on a ftp packet from winbox 42.0.0.23:1092 to (64.etc:21)
due to rule 2 {REJECT any/0 to any/0} of the forward chain.

I didn't tell the firewall.conf file to load ftp in the MASQ-MODULES=
line, as I don't have a matching file in the /etc/firewall/modules/ tree.
If I try to modprobe ip_nat_ftp the response is, in short,
init_module: device or resource busy
ip_tables.o: insmod ip_tables.o failed
ip_tables.o: insmod ip_nat_ftp failed

a) why doesn't this packet match the first rule in the chain?
b) do I need ip_nat_ftp loaded to do ftp masquerading?
c) must it use iptables, or can it be made to run with just ipchains?

Frank

In article <bhb7k5$(E-Mail Removed)>, Frank Winans wrote:
> b) do I need ip_nat_ftp loaded to do ftp masquerading?
> c) must it use iptables, or can it be made to run with just ipchains?

c) yes, no.

I think there is an FTP NAT driver for ipchains, but why are you using
ipchains on a 2.4.x kernel? Dump that and start using iptables ... it's
easier and more secure.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

"/dev/rob0" wrote
> Frank Winans wrote:
> ...ip_nat_ftp to do ftp masquerading...with just ipchains?
> I think there is an FTP NAT driver for ipchains, but why are you using
> ipchains on a 2.4.x kernel? Dump that and start using iptables ... it's
> easier and more secure.
No ftp modules work with rh7.1's ipchains. I've gone to iptables,
but will really miss rcf front end {iptables version isn't ready yet}
-- am trying http://www.shorewall.net as my "training wheels" for iptables.

Had a client hacked from a spoofed or china-area ip address the other
day... They're now instructed not to leave the firewall down {over the
weekend ! } even "for a really good reason", and to include
"that unimportant web gateway box" in their backup schedule :-'/