[ previous ] [ next ] [ threads ]
 From:  "RP Smith" <rpsmith at hotmail dot com>
 To:  jeffrey dot monroe at mobmedia dot com, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Two problems which may (may not) have easy solutions...
 Date:  Sat, 04 Mar 2006 11:10:27 -0600
I have been testing the 1.21 version of m0n0wall. I like it, but I have two 
problems which keep me from using it in a production environment.

First, my m0n0wall is setup with the WAN and OPT1 bridged and I have set the 
advanced setting to enable the bridge.

1) Outgoing FTP is blocked because the creation of DATA TCP ports is denied. 
I have an iptable implementation which allows for stateful creation of TCP 
ports as needed for FTP. I have heard a lot of discussions about not 
allowing FTP at all, but the reality is that my customers demand it. So I am 
stuck. Is there any ruleset hack or plans in the future to add stateful 
creation of TCP ports.

2) We use the Cisco VPN client 4.6.x to reach inside some of our clients 
networks. It seems that some of the UDP port activity is blocked. I see the 
login screen and then it hangs. I have sene some discussion about the Cisco 
VPN client 4.7.x fixing the problem. Most of my clients have not renewed 
their Cisco support contracts so they are not getting updated client 
software. Is there any way to modify the ruleset to make this work?


Jeffrey Monroe


If you are talking about the FTP server being on the Option1 interface and 
FTP clients on the LAN interface, you need to create a "pass" rule to allow 
TCP port 20 to pass from the FTP server's IP address to the LAN subnet (or 
some variation of that).

As for your second question, I try my hardest to stay away from anything 
that has the Cisco name on it. :o)