Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 16 Nov 2001 19:25:13 +1100
From:      "Chris Knight" <chris@aims.com.au>
To:        <freebsd-ipfw@freebsd.org>
Subject:   Stateful Rules and FTP
Message-ID:  <00bb01c16e78$37d102a0$020aa8c0@aims.private>

next in thread | raw e-mail | index | archive | help
Howdy,

I'm running 4.4-stable on a box with 3 interfaces: ed0, ed1 and ed2.
ed0 is the external interface.
ed1 is the DMZ interface.
ed2 is the internal interface.

I want a select group of machines in the DMZ to be able to FTP, and only
FTP, to a machine on the internal network to retrieve an installation image
and packages. I've found the only way I can get passive FTP going is with
the following rule:

add pass tcp from <dmz subnet> to <internal ip> keep-state in recv ed1 setup

But this then allows access to other services on the internal machine :-(
Adding port 21 to the destination only allows FTP control connections and
not FTP data connections. It's starting to drive me batty. Ideally, I'd like
to be able to specify in the ruleset that the data has to traverse both ed1
and ed2.
Lack of sleep doesn't help either. Can anyone help me out?

Regards,
Chris Knight
Systems Administrator
AIMS Independent Computer Professionals
Tel: +61 3 6334 6664  Fax: +61 3 6331 7032  Mob: +61 419 528 795
Web: http://www.aims.com.au



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00bb01c16e78$37d102a0$020aa8c0>