> $int_if = internal interface
> $dmz_if = dmz interface
>
> pass in on $int_if inet proto tcp from $pc port > 1024 to $server port 21 keep state
> pass out on $dmz_if inet proto tcp from $pc port > 1024 to $server port 21 keep state
>
> pass in on $int_if inet proto tcp from $pc port > 1024 to $server port 20 keep state
> pass out on $dmz_if inet proto tcp from $pc port > 1024 to $server port 20 keep state
>
With that little information please do not wait a very accurate help.
You're probably missing the fact how FTP works. As we can not see the
whole ruleset, here are simple suggestions.
If client uses normal FTP to connect to server in DMZ;
i) client connects to the server's port 21
ii) client requests a file from the server
a) server sends the port number XXXX to client over current
connection (from S:21 to C:1234 for example)
b) client gets the port number and starts to listen on
port XXXX
c) server connects to client from it's port 20 to client's port XXXX
( S:20 ---> C:XXXX)
d) server sends the data
If client uses passive FTP to transfer data from server
i) client connect to server's port 21
ii) client a file from the server
a) server send the port number PPPP to client over current connection
b) server starts to listen on port PPPP (PPPP > 49151)
c) client connect to server's port PPPP
d) server sends the data
Your rules will not work for normal ftp nor passive ftp.
Because your rules does not allow (I guess) packets from server's port 20
to client's port > 1024
How to fix it?:
1) You have to pass packets from pc port > 1024 to server port 21
- no need to write a rule for the replies in case you "keep state"
2) You have to pass packets from server port 20 to pc port > 1024
- "keep state"
If you also want passive ftp
3) You additionaly have to pass packets from pc port > 1024 to
server port > 49151
- again "keep state"
Hope this "built-on-assumptions" message helps.
Regards,
-bdd
