[Firehol-support] Extending complex service FTP
Andre Marenke
andre.marenke at awc.net.au
Mon Dec 15 06:17:19 GMT 2003
Hello,
I am currently trying to extend/recreate the FTP service definitions. I
have a router R and two machines M1 and M2 behind the router.
I have http running on M1 and ftp on M2. My ftp server is setup to
listen on ports 2500:2520 (one port for each virtual ftp domain).
2 Questions:
1) With the setup I have below it is not possible to do passive FTP to
the FTP server and my definition is too simple to allow for conntrack to
work. Is it possible to modify the existing FTP server definition in an
easy way to gain full FTP functionality with different ports?
2) I have only set up one router and was wondering what the best/most
elegant solution is to split traffic up depending on the type of
traffic? Define multiple routers with destination ip addresses set for
each service or one router with the service destination IP addresses
set?
Thanks for a great product btw!
My setup is like this:
interface eth0 internet
policy DROP
protection strong
client ssh accept
interface eth1 dmz
policy REJECT
protection strong
server squid accept
server ssh accept
client ssh accept
router net2dmz inface eth0 outface eth1
route http accept
route custom ftpserver tcp/2500:2520 default accept
router dmz2net inface eth1 outface eth0
route all accept
More information about the Firehol-support
mailing list