[ previous ] [ next ] [ threads ]
 
 From:  "Bruce A. Mah" <bmah at acm dot org>
 To:  Mark Castle <m0n0wall at markcastle dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Strange Filtering Bridge behaviour
 Date:  Tue, 28 Sep 2004 08:35:07 -0700
If memory serves me right, Mark Castle wrote:

> I've found it real difficult to allow active ftp through a filtering 
> bridge (WAN and OPT1 Bridged, with the ftp server on the OPT1 side of 
> the connection), sometimes it works ok, but mainly it doesn't.  It shows 
> the port 20 traffic as being blocked even though there is a rule on the 
> correct interface for it.

I haven't actually tried this myself, but can you say what exactly you
mean by "a rule on the correct interface for it"?  Not to be
insulting, but knowing the exact rule says more than "I set it up
correctly".

I haven't had my morning dose of caffeine yet, but I'd expect a rule
on the OPT1 interface that allows packets from TCP port 20 on your FTP
server to any port anywhere.

> I am always able to connect, but rarely able 
> to issue an "ls" command, so it's certain it's the ftp data side of 
> things that has the issue.  I've noticed this for other types of traffic 
> too.. particularly DNS, although interestingly with port 53 udp is shown 
> as being blocked i'm pretty sure that it actually isn't.  The main 
> problem i am having though is sometimes when i disable the filtering 
> bridge, it stays in operation (eg keeps filtering) until the firewall is 
> rebooted.

Hmmm...interesting.  I haven't tried turning it on and off.

This isn't a lot of help to you, I realize.  Packet traces
(e.g. tcpdump or ethereal) on each side of the bridge might help you
figure out what's really going on here.

Bruce.