RE: [Shorewall-users] Question on tcrules implementation

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Tom,
FTP server is running in the DMZ zone. I'll try to set the data ports as you
mentioned. Also could you clue me in as to how the "mark" is being set in
CBQ mode. As I understand HTB mode has a set conf file for traffic marking.
The reason why I ask is if I set the 'smtp' protocol the same way as I do
the 'ftp' there is nothing happening on 1:30 priority when I run the "watch"
Command.

Thanks,
~Andrew Nady.

-----Original Message-----
From: sho...@li...
[mailto:sho...@li...] On Behalf Of Tom Eastep
Sent: Wednesday, January 26, 2005 12:32 PM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] Question on tcrules implementation

Tom Eastep wrote:
> Andrew N. wrote:
> 
>>Currently I use wondershaper 1.1 with the cbq file as tcstart on a pppoe
>>connection with 2.5Mbs down and 680kbs up.
>>In tcrules I am placing the following to test the ftp protocol:
>>
>>15   fw   0.0.0.0/0   tcp  21 -
>>16   fw   0.0.0.0/0   tcp  - 21
> 
> 
> Neither rule will have much traffic since what you are marking is the
> FTP *CONTROL* channel -- are you trying to mark FTP data traffic?
> Currently, there is no way in Shorewall to identify passive-mode FTP
> traffic (active-mode traffic has source port 20).
> 
> Also, are you running an FTP server on the firewall or an FTP client?

The reason that I ask is that if you are running a server, then your
server can most likely be configured to use a particular range of
passive ports. If, for example, you configure the server to use
7000:7999 then you can mark outbound FTP data traffic using:

x    fw    0.0.0.0/0   tcp - 7000:7999

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
_______________________________________________
Shorewall-users mailing list
Post: Sho...@li...
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm