Darek Eliasz wrote:
Hello. I have problem with rules for ftp server which is standing on DMZ. I read archive, but i can't find working solution. Firewall/router is running under OpenBSD 3.4. There are 3 NIC's : ext_if="fxp2" - internet prv_if="fxp0" - LAN dmz_if="fxp1" - DMZ On DMZ i have one machine for example 10.0.1.2 (OBSD 3.4). There work www, smtp, pop - and everything work OK - i could connect to this services from LAN and from "inetrnet". Only i can't enable ftp. Connection from router to ftp dmz server work well. But when i try connect to ftp server from eg. LAN i can only log in, but i can't LIST or PUT for example. Fragment's of my pf.conf:
rdr on $ext_if proto tcp from any to $ext_if port 20 -> 10.0.1.2 port 20 rdr on $ext_if proto tcp from any to $ext_if port 21 -> 10.0.1.2 port 21 rdr on $dmz_if proto tcp from 10.0.1.0/24 to $ext_if port 20 -> $ext_adr port 20 rdr on $dmz_if proto tcp from 10.0.1.0/24 to $ext_if port 21 -> $ext_adr port 21 #ext_if block in log on $ext_if all block out on $ext_if all pass in quick on $ext_if inet proto tcp from any to 10.0.1.2 port { 20, 21, 25, 53, 80, 110, 443 } flags S/SA keep state pass in quick on $ext_if proto tcp from any to 10.0.1.2 port > 1023 flags S/SA keep state pass out quick on $ext_if inet proto tcp from 10.0.1.2 port 20 to any port { 20, >1023 } flags S/SA keep state #dmz_if pass in quick on $dmz_if proto tcp from 10.0.1.2 to any port { 20, 21, > 1023 } flags S/SA keep state pass out on $dmz_if inet proto tcp from any to $dmz_net port { 20, 21, > 1023 } flags S/SA keep state
Have you any idea's what can be wrong. I was trying pass in/out quick all but without any result. I read http://www.deadly.org/article.php3?sid=20020130012631 and IMO that rules should work well. When i make tcpdump that looks that packets are passed and goin out, but client can't "catch" them.
-- Maxime Labelle - [EMAIL PROTECTED]
