[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  "Alan" <junk at alan2 dot com>
 Cc:  M0n0wall Lists <m0n0wall at lists dot m0n0 dot ch>, 'Thomas Paumier' <thomas dot paumier at tiscali dot fr>
 Subject:  Re: [m0n0wall] Trafic shaper seems doesn't work as expected
 Date:  Sun, 21 Dec 2003 11:01:49 +0100
On 21.12.2003, at 15:34, Alan wrote:

> I am just making a guess as to why this is not working... Monowall may 
> work some
> ftp magic behind the scenes that Im not aware of..
> Only the FTP control information is passed through port 21.

Exactly. Well, this example is one of the reasons why I believe that 
even though m0n0wall is relatively easy to configure, people who use it 
should have some knowledge about firewalls and what they're actually 
doing - just like with commercial firewall products. I thought anybody 
who is serious at setting up a firewall should know that FTP is a real 
bitch of a protocol and uses both a control and a data connection, 
while the data connection can basically be set up on random ports on 
both sides. Without sniffing the control channel, the firewall cannot 
know which TCP connection is actually an FTP data connection. ipnat's 
FTP proxy does that in order to install a temporary inbound NAT and 
filter rule to permit the incoming data connection (from server to 
client) when you use an FTP client in active mode behind m0n0wall, so 
that's why it works without having to install rules to permit inbound 
active FTP data connections.

It doesn't work the same way with the traffic shaper, and once again, 
this is not a limitation in m0n0wall, but ipfw.

So yes, writing a traffic shaper rule that only applies to FTP traffic 
is very difficult, if not to say impossible (especially if you want to 
account for all modes, active and passive).

Thomas - you can either limit traffic on all ports, or maybe write a 
rule that includes all ports but HTTP if that's what you want.

- Manuel