I'm trying to set up the following:
/ <-> CARP
WAN int (PFSENSE BOX)<-> LAN
\<-> DMZ
I want to have nat on the LAN, bi-nat on the DMZ, filtering incoming and
outgoing traffic. I'm close, but I've had issues with trying to get this
all working; I can't get outbound PASV ftp from the DMZ; I just want to be sure that
pfsense is capable before I expend anymore energy on this. I can't find
the traffic being blocked, nor do I see it connecting to the local proxy.
Let me know what else I can supply you with, here are some details:
The CARP interface is disabled till I get this working
(for below - x.x.x = external address scheme)
OPT1(DMZ)* -> em0 -> 10.1.1.1
LAN* -> bge0 -> 172.16.128.15
WAN* -> xl0 -> x.x.x.89
pfctl -sr | grep USER
pass in quick on xl0 inet proto tcp from any to x.x.x.68 keep state
label "USER_RULE"
pass in quick on xl0 inet proto udp from any to x.x.x.68 keep state
label "USER_RULE"
pass in quick on xl0 proto tcp from any to any port = ssh keep state
label "USER_RULE: Allowed incomming ports"
pass in quick on xl0 proto tcp from any to any port = ntp keep state
label "USER_RULE: Allowed incomming ports"
pass in quick on xl0 proto tcp from any to any port = domain keep state
label "USER_RULE: Allowed incomming ports"
pass in quick on xl0 proto tcp from any to any port = ftp keep state
label "USER_RULE: Allowed incomming ports"
pass in quick on xl0 proto tcp from any to any port = https keep state
label "USER_RULE: Allowed incomming ports"
pass in quick on xl0 proto tcp from any to any port = http keep state
label "USER_RULE: Allowed incomming ports"
pass in quick on xl0 proto udp from any to any port = ssh keep state
label "USER_RULE: Allowed incomming ports"
pass in quick on xl0 proto udp from any to any port = ntp keep state
label "USER_RULE: Allowed incomming ports"
pass in quick on xl0 proto udp from any to any port = domain keep state
label "USER_RULE: Allowed incomming ports"
pass in quick on xl0 proto udp from any to any port = ftp keep state
label "USER_RULE: Allowed incomming ports"
pass in quick on xl0 proto udp from any to any port = https keep state
label "USER_RULE: Allowed incomming ports"
pass in quick on xl0 proto udp from any to any port = http keep state
label "USER_RULE: Allowed incomming ports"
pass in quick on xl0 inet proto tcp from 139.142.2.2 port = domain to
any keep state label "USER_RULE"
pass in quick on xl0 inet proto tcp from d.n.s.3 port = domain to any
keep state label "USER_RULE"
pass in quick on xl0 inet proto udp from d.n.s.2 port = domain to any
keep state label "USER_RULE"
pass in quick on xl0 inet proto udp from d.n.s.3 port = domain to any
keep state label "USER_RULE"
pass in quick on xl0 inet proto tcp from any to 10.1.1.150 port >= 49152
flags S/SA keep state label "USER_RULE: FTP Passive ports"
pass in quick on em0 inet proto tcp from 10.1.1.0/24 to 127.0.0.1 flags
S/SA keep state label "USER_RULE"
pass in quick on em0 all keep state label "USER_RULE"
pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to 127.0.0.1
flags S/SA keep state label "USER_RULE"
pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port =
http flags S/SA keep state label "USER_RULE"
pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port =
https flags S/SA keep state label "USER_RULE"
pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port =
ftp flags S/SA keep state label "USER_RULE"
pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port =
ssh flags S/SA keep state label "USER_RULE"
pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port =
domain flags S/SA keep state label "USER_RULE"
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
