I might not completely understand your network setup but it seems like you
have your IP addresses setup incorrectly in your pf.conf. When you BINAT your
second server you will need to direct it to the internal IP address of the
server itself.
I think something like this would work for you.
emtelZ-internal=192.168.0.26
binat on $Net from $emtelZ-internal to any -> $emtelZ
On Wednesday 31 August 2005 06:56 am, lukas wrote:
> Heloo
>
> My problem situation is:
>
> I've OB 3.6
>
> Two FTP serwers in my network (linux, cyberFTP on win xp)
>
> I've two public IP adreses, one for serwer
>
> One serwer (proftpd) is working. but i can only connect in passive mode
> (from windows with SFTP)
>
> The second one is behind binat, because its second company with they
> internal router on linux (all is working from lan)
>
> I need to use both servers.
> Mayby i should use something else no binat...
>
>
> My PF
>
> Net="xl0"
> Lan="xl1"
> VIP="xl2"
> Lan2="xl3"
>
> teleprofZ=217.153.216.25 - first serwer on linux
> teleprofW=172.17.70.:)
> emtelW=192.168.0.:)
> emtelZ=217.153.216.26 - - second serwer on win xP
>
>
> scrub in all
>
> nat on $Net from $Lan:network to any -> $Net
> nat on $Net from $VIP:network to any -> $Net
> nat on $Net from $Lan2:network to any -> $Net
> binat on $Net from $emtelW to any -> $emtelZ
>
> #######################FTP
> rdr on $Lan proto { tcp, udp } from any to any port 21 -> 127.0.0.1 port
> 8021
> rdr on $VIP proto { tcp, udp } from any to any port 21 -> 127.0.0.1 port
> 8021
> rdr on $Lan2 proto { tcp, udp } from any to any port 21 -> 127.0.0.1
> port 8021
>
> rdr on $Net proto { tcp, udp } from any to any port 25 -> $teleprofW port
> 25 rdr on $Net proto { tcp, udp } from any to any port 143 -> $teleprofW
> port 143
> rdr on $Net proto { tcp, udp } from any to any port 110 -> $teleprofW
> port 110
> rdr on $Net proto { tcp, udp } from any to any port 822 -> $teleprofW
> port 22
> rdr on $Net proto { tcp, udp } from any to any port 995 -> $teleprofW
> port 995#TELEPROF
> rdr on $Net proto { tcp, udp } from any to any port 80 -> $teleprofW port
> 80 rdr on $Net proto tcp from any to any port 443 -> $teleprofW port 443
>
> #FTP
> rdr on $Net proto tcp from any to any port 825 -> $teleprofW port 825
> rdr on $Net proto tcp from any to any port 49152:65535 -> $teleprofW
> port 49152:65535
> rdr on $Net proto tcp from any to any port 20 -> $teleprofW port 20
> #Second FTP
> #rdr on $Net proto tcp from any to any port 49152:65535 -> $emtelW port
> 49152:65535 - its usless :)
>
> block in on $Net all
> block in on $Net proto icmp all
> block in on $Net proto { tcp, udp } from any to $Net
> block from $Lan:network to $Lan2:network
> block from $Lan2:network to $Lan:network
> block from $VIP:network to $Lan
>
>
> #Second ftp
> pass in on $Net proto { icmp, tcp, udp} from any to $emtelW
> #Second ftp
> pass in on $Net proto icmp from 195.94.194.108 to 217.153.216.22
> pass in on $Net proto { tcp, udp, icmp } from $tamka to any
> #WWW
> pass in on $Net proto { tcp, udp } from any to $teleprofW port 80 keep
> state pass in on $Net proto { tcp, udp } from any to $teleprofW port 443
> keep state
> pass in on $Net proto { tcp, udp } from any to $teleprofW port 993 keep
> state
> pass in on $Net proto { tcp, udp } from any to $teleprofW port 995 keep
> state
> pass in on $Net proto { tcp, udp } from any to $teleprofW port 25 keep
> state pass in on $Net proto { tcp, udp } from any to $teleprofW port 822
> keep state
> pass in on $Net proto { tcp, udp } from any to $teleprofW port 110 keep
> statepass in quick on $Net proto tcp from any to $teleprofW port 825
> keep state
> pass in quick on $Net proto tcp from any to $teleprofW port 20 keep state
> pass in quick on $Net proto tcp from any to $teleprofW port > 49151 keep
> state
> #Second Ftp
> pass in quick on $Net proto tcp from any to $emtelW port > 49151 keep state
>
> pass out quick on $Lan proto tcp from any to $teleprofW port 825 keep state
> pass out quick on $Lan proto tcp from any to $teleprofW port 20 keep state
> pass out quick on $Lan proto tcp from any to $teleprofW port > 49151
> keep state
> #Second Ftp
> pass out quick on $Lan2 proto tcp from any to $emtelW port > 49151 keep
> state
>
> pass out on $Net inet proto { udp, icmp } all keep state
> pass out on $Net inet proto tcp all flags S/SA keep state
>
> pass quick on lo0 all
>
> #FTP
>
> pass in quick on $Net proto tcp from any to $teleprofW port 825 keep state
>
> :network
>
> Thnkyou for any ideas to improve security of my PF :)
>
> Morty
