Hello: Ivan Lopez wrote, > you just filter by ftp-data port (20) and by passive ports range (most > ftp daemons gives you the chance to define a determinate range of > ports to use in passive mode) But i have no control over the FTP clients users behind my Linux router will use. Moreover, i have full NAT for my internal network. > i discourage you from shaping ftp control traffic (21), because of the > annoying delay you introduce in the interactiveness of the ftp session Ok. Will take out port 21 then. > this is how i do it using iptables marking and fw tc filter > > #for matching ftp-data iptables -A OUTPUT -o $IF_EXT -p tcp --sport 20 > -j MARK 1 #for matching passive ports range that i configured in my > ftp daemon iptables -A OUTPUT -o $IF_EXT -p tcp --sport 5000:5100 -j > MARK 1 For this to work, all FTP clients should be configured to use only ports between 5000 and 5100 right? -- Emperor Palpatine: Everything that has transpired has done so according to my design.
