From: Andrew N. <an...@ps...> - 2005-01-29 20:38:56
|
Hi Tom, FTP server is running in the DMZ zone. I'll try to set the data ports as you mentioned. Also could you clue me in as to how the "mark" is being set in CBQ mode. As I understand HTB mode has a set conf file for traffic marking. The reason why I ask is if I set the 'smtp' protocol the same way as I do the 'ftp' there is nothing happening on 1:30 priority when I run the "watch" Command. Thanks, ~Andrew Nady. -----Original Message----- From: sho...@li... [mailto:sho...@li...] On Behalf Of Tom Eastep Sent: Wednesday, January 26, 2005 12:32 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Question on tcrules implementation Tom Eastep wrote: > Andrew N. wrote: > >>Currently I use wondershaper 1.1 with the cbq file as tcstart on a pppoe >>connection with 2.5Mbs down and 680kbs up. >>In tcrules I am placing the following to test the ftp protocol: >> >>15 fw 0.0.0.0/0 tcp 21 - >>16 fw 0.0.0.0/0 tcp - 21 > > > Neither rule will have much traffic since what you are marking is the > FTP *CONTROL* channel -- are you trying to mark FTP data traffic? > Currently, there is no way in Shorewall to identify passive-mode FTP > traffic (active-mode traffic has source port 20). > > Also, are you running an FTP server on the firewall or an FTP client? The reason that I ask is that if you are running a server, then your server can most likely be configured to use a particular range of passive ports. If, for example, you configure the server to use 7000:7999 then you can mark outbound FTP data traffic using: x fw 0.0.0.0/0 tcp - 7000:7999 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Sho...@li... Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm |