On 21.12.2003, at 15:34, Alan wrote:
> I am just making a guess as to why this is not working... Monowall may
> work some
> ftp magic behind the scenes that Im not aware of..
> Only the FTP control information is passed through port 21.
Exactly. Well, this example is one of the reasons why I believe that
even though m0n0wall is relatively easy to configure, people who use it
should have some knowledge about firewalls and what they're actually
doing - just like with commercial firewall products. I thought anybody
who is serious at setting up a firewall should know that FTP is a real
bitch of a protocol and uses both a control and a data connection,
while the data connection can basically be set up on random ports on
both sides. Without sniffing the control channel, the firewall cannot
know which TCP connection is actually an FTP data connection. ipnat's
FTP proxy does that in order to install a temporary inbound NAT and
filter rule to permit the incoming data connection (from server to
client) when you use an FTP client in active mode behind m0n0wall, so
that's why it works without having to install rules to permit inbound
active FTP data connections.
It doesn't work the same way with the traffic shaper, and once again,
this is not a limitation in m0n0wall, but ipfw.
So yes, writing a traffic shaper rule that only applies to FTP traffic
is very difficult, if not to say impossible (especially if you want to
account for all modes, active and passive).
Thomas - you can either limit traffic on all ports, or maybe write a
rule that includes all ports but HTTP if that's what you want.