Hello.
I have problem with rules for ftp server which is standing on DMZ. I read
archive, but i can't find working solution.
Firewall/router is running under OpenBSD 3.4. There are 3 NIC's :
ext_if="fxp2" - internet
prv_if="fxp0" - LAN
dmz_if="fxp1" - DMZ
On DMZ i have one machine for example 10.0.1.2 (OBSD 3.4). There work www,
smtp, pop - and everything work OK - i could connect to this services from
LAN and from "inetrnet". Only i can't enable ftp. Connection from router to
ftp dmz server work well. But when i try connect to ftp server from eg. LAN
i can only log in, but i can't LIST or PUT for example.
Fragment's of my pf.conf:
rdr on $ext_if proto tcp from any to $ext_if port 20 -> 10.0.1.2 port 20
rdr on $ext_if proto tcp from any to $ext_if port 21 -> 10.0.1.2 port 21
rdr on $dmz_if proto tcp from 10.0.1.0/24 to $ext_if port 20 -> $ext_adr
port 20
rdr on $dmz_if proto tcp from 10.0.1.0/24 to $ext_if port 21 -> $ext_adr
port 21
#ext_if
block in log on $ext_if all
block out on $ext_if all
pass in quick on $ext_if inet proto tcp from any to 10.0.1.2 port { 20, 21,
25, 53, 80, 110, 443 } flags S/SA keep state
pass in quick on $ext_if proto tcp from any to 10.0.1.2 port > 1023 flags
S/SA keep state
pass out quick on $ext_if inet proto tcp from 10.0.1.2 port 20 to any port
{ 20, >1023 } flags S/SA keep state
#dmz_if
pass in quick on $dmz_if proto tcp from 10.0.1.2 to any port { 20, 21, >
1023 } flags S/SA keep state
pass out on $dmz_if inet proto tcp from any to $dmz_net port { 20, 21, >
1023 } flags S/SA keep state
Have you any idea's what can be wrong. I was trying pass in/out quick all
but without any result.
I read http://www.deadly.org/article.php3?sid=20020130012631 and IMO that
rules should work well.
When i make tcpdump that looks that packets are passed and goin out, but
client can't "catch" them.
