Hi,
i run an OpenBSD 4.3 firewall with 3 network interfaces : 1 LAN, 1 WAN
and 1 DMZ
I use ftp-proxy to allow ftp client connexions from my LAN and it works
well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they
have all one different public IP. So, i use binat rules to nat them
easily and it works fine too.
But i need to allow these servers on DMZ to make FTP client connexions
to external servers too. So I have put a rdr rule like the one i did for
my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't
work, i can only connect to external FTP servers from my DMZ servers if
disable the binat rule associated with the server which try to connect.
My question is, is there a mean to do what i want to do ? :)
Thanks a lot !
below an extract of my pf rules:
nat on $ext_if from !$ext_if to any -> $firewall_pub
nat-anchor "ftp-proxy/*"
binat on $ext_if from $dns1_priv to any -> $dns1_pub
binat on $ext_if from $dns2_priv to any -> $dns2_pub
binat on $ext_if from $web_ville_priv to any -> $web_ville_pub
binat on $int_if from $web_ville_priv to any -> $web_ville_pub
rdr-anchor "ftp-proxy/*"
rdr on { $int_if $dmz1_if } proto tcp from any to any port ftp -> lo0
port 8021
...
pass in quick log on $dmz1_if inet proto tcp from $DMZ1 to lo0 port 8021
pass in quick log on $int_if inet proto tcp from <acces_ftp_direct> to
lo0 port 8021
anchor "ftp-proxy/*"
...
