[ previous ] [ next ] [ threads ]
 From:  Christian Rohmann <Christian dot Rohmann at gmx dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Passive Mode FTP
 Date:  Thu, 07 Apr 2005 14:32:57 +0200
As suggested multiple times a layer7 IP filter would be able to be 
stateful even with such bugging protocols like FTP.
And most important they increase the securty of the whole thing because 
they "follow" the protocols. This protects the machines exposed to the 
internet even more.
It's just like Ciscos PIXes have "fixup" at layer7 following DNS queries 
for example and making sure they follow the rules i.e. having a certain 

I understand that the devs want m0n0wall to be as slim as possible, but 
having VPNs is just as CPU intense as having a more sophisticated filtering.



Simon SZE-To wrote:

>you will need to create firewall rules for those ftp passive port, m0n0wall 
>don't have ip connect track like Linux.
>On Apr 7, 2005 11:54 AM, Jim <jwells at networksisp dot com> wrote:
>>I have a Redhat server running vsftpd behind 1:1 NAT
>>MAC / Linux users are reporting timeouts. I can reproduce
>>the problem. I can connect with no problems but when I attempt dir
>>then 70 seconds later I get a directory list. The next dir command is
>>very fast. Only the initial one is slow. I have tried several changes
>>to vsftpd.conf with no changes still 70 sec. The log files shows high port
>>connections from the client to the server and from the server to
>>the client. Microsoft FTP clients have no problems at all since they
>>use active FTP.
>>Any idea what is causing the slow down ?
>>I did not have this problem with my previous firewall. It only started
>>after I deployed Monowall. I am running 1.11 since this is a production
>>All other servers and services are working very well.
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch