[ previous ] [ next ] [ threads ]
 
 From:  Michal Bartkowiak <mailing at digital dot nonspace dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  FTP server in DMZ accessible from WAN and LAN clients
 Date:  Thu, 18 Aug 2005 00:25:57 +0200 
Hello,

My problem
- Can't connect to FTP server in DMZ from clients in LAN subnet
(connections from WAN subnet works in both passive and active mode)

My configuration
- WAN interface: 192.168.1.64 (fxp0)
- LAN interface: 10.0.0.1 (fxp1)
- DMZ interface: 172.16.0.1 (fxp2)

- FTP Server
  IP: 172.16.0.2 (alias: Crypt)
  ports for passive connections replies: 49500-49900
  IP forced on PASV/EPSV/SPSV replies: 192.168.1.64 (WAN interface)
  clients allowed from: 127.0.0.1, 192.168.0.0/16, 10.0.0.0/8

- NAT rules
 Server NAT: 192.168.1.64
 Inbound: WAN | TCP | 21 | Crypt (ext.: 192.168.1.64) | 21
 Inbound: WAN | TCP | 49500-49900 | Crypt (ext...) | 49500-49900 

- Firewall PASS rules on WAN interface
 TCP | 192.168.0.0/16 | * | Crypt | 21
 TCP | 192.168.0.0/16 | * | Crypt | 49500-49900

- Firewall PASS rules on DMZ interface
 TCP | Crypt | 20 | 192.168.0.0/16 | *

My question
Now what rules (or maybe routes?) should I add to allow ftp connections
from clients in LAN to FTP server (passive and active)?
On this DMZ machine is also HTTP server accessible only to LAN clients
(via outgoing PASS rules), and I want to stick with this - WAN clients
can't request GET/HEAD.

Any suggestion would be really appreciated,
Michal Bartkowiak