Hi Tom, > Sorry -- I can't comment without seeing a 'shorewall dump' collected as > described in great detail at > http://www.shorewall.net/support.htm#guidelines. Also:
Yeah I understand that but my dump is really large, complicated and might contain business sensitive information which I don't feel is a good idea to place on a public mailing list. > a) Why are you specifying 'loose'? The providers file documents the loose option as: "Normally, Shorewall adds routing rules to prohibit firewall marks from working with traffic generated on the firewall itself. By setting the 'loose' option, generation of these rules is avoided." If I am interpreting this correctly the loose option is needed if you want to mark traffic originating on the firewall itself. I use this to force certain of my squid traffic (originating on the firewall itself) out of my eth1 interface and the remainder out of my ppp0 interface. > b) Where does this FTP server run? The firewall? In a local network? The FTP server runs on the firewall. > c) Is it the responses to the control connection (TCP port 21) that go out > via eth1 or is it active mode connections from the server back to the > client that go out via eth1? It's the actual TCP session that is never established from the FTP client perspective. So yes it is the control connection that has the problem. A telnet to the firewall's FTP port from the Internet doesn't result in an established connection. Regards, - Craig. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
