On Fri, 18 Jan 2002, Troy Rockwood wrote: [snip] > Actually, I checked it with tcpdump (ethereal) and nobody was using > passive mode. I'm fine if some people that use ftp accidentally get > higher priority (by using passive), it's just when the ftp traffic > drowns out everything else that the problem is. At present that means > ftp-data (port 20) traffic. Thanks for the reply though I may have to > be more clever in the future if passive is used predominantly. There is a new match in iptables that you could use. It is a match that's capable of mathing which conntrack helper a related connection belongs to. so if you load ip_conntrack_ftp then you can do something like this: iptables -A FORWARD -m helper --helper ftp -j MARK --set-mark 2 then all packet belonging to ftp connection (both the packets in the ftp-command connection and all packets in the related data connections) will have a fwmark of 2. this works for both passive and active ftp. You'll find this helper match in the iptables patch-o-matic (either from cvs or download iptables 1.2.5) /Martin Never argue with an idiot. They drag you down to their level, then beat you with experience.
