[Firehol-support] Extending complex service FTP

Andre Marenke andre.marenke at awc.net.au
Mon Dec 15 06:17:19 GMT 2003


Hello,

I am currently trying to extend/recreate the FTP service definitions. I
have a router R and two machines M1 and M2 behind the router. 

I have http running on M1 and ftp on M2. My ftp server is setup to
listen on ports 2500:2520 (one port for each virtual ftp domain).

2 Questions:
1) With the setup I have below it is not possible to do passive FTP to
the FTP server and my definition is too simple to allow for conntrack to
work. Is it possible to modify the existing FTP server definition in an
easy way  to gain full FTP functionality with different ports?

2) I have only set up one router and was wondering what the best/most
elegant solution is to split traffic up depending on the type of
traffic? Define multiple routers with destination ip addresses set for
each service or one router with the service destination IP addresses
set?

Thanks for a great product btw!

My setup is like this:

interface eth0 internet
       policy DROP
       protection strong
       client ssh accept

interface eth1 dmz
       policy REJECT
       protection strong
       server squid accept
       server ssh accept
       client ssh accept

router net2dmz inface eth0 outface eth1
       route http accept
       route custom ftpserver tcp/2500:2520 default accept

router dmz2net inface eth1 outface eth0
       route all accept





More information about the Firehol-support mailing list