Date: Fri, 16 Nov 2001 20:24:07 +0300 From: Konstantin <skif_dk@mail.ru> To: Chris Knight <chris@aims.com.au> Cc: freebsd-ipfw@freebsd.org Subject: Re: Stateful Rules and FTP Message-ID: <7526380550.20011116202407@mail.ru> In-Reply-To: <00bb01c16e78$37d102a0$020aa8c0@aims.private> References: <00bb01c16e78$37d102a0$020aa8c0@aims.private>
next in thread | previous in thread | raw e-mail | index | archive | help
Friday, November 16, 2001, 11:25:13 AM, you wrote: CK> I'm running 4.4-stable on a box with 3 interfaces: ed0, ed1 and ed2. CK> ed0 is the external interface. CK> ed1 is the DMZ interface. CK> ed2 is the internal interface. CK> I want a select group of machines in the DMZ to be able to FTP, and only CK> FTP, to a machine on the internal network to retrieve an installation image CK> and packages. I've found the only way I can get passive FTP going is with CK> the following rule: CK> add pass tcp from <dmz subnet> to <internal ip> keep-state in recv ed1 setup Change this string for FTP add pass tcp from <dmz subnet> to <internal ip> 21 keep-state in recv ed1 setup add pass tcp from <internal ip> 20 to <dmz subnet> keep-state in recv ed1 setup CK> But this then allows access to other services on the internal machine :-( CK> Adding port 21 to the destination only allows FTP control connections and CK> not FTP data connections. It's starting to drive me batty. Ideally, I'd like CK> to be able to specify in the ruleset that the data has to traverse both ed1 CK> and ed2. CK> Lack of sleep doesn't help either. Can anyone help me out? Best regards, Konstantin mailto:skif_dk@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7526380550.20011116202407>