Problems with DMZ

Lou Kamenov phayze at secureroot.org.uk
Thu Jan 16 14:42:50 GMT 2003 

In some email I received from Martyn Carl Pfalzer-Brown
<carlpfalzer at yahoo.com> on Thu, 16 Jan 2003 14:25:55 +0000 (GMT) :
> Hi people,
>  
> I am a total newbie, so please excuse my ignorance.
> Unable to connect to my ftp/http server through my
> firewall from outside, connects fine from internal
> network.
> Using Freebsd 4.7-Stable, running IPfilter. Below are
> my .rules files. Can anybody help me?
>  
> ipf.rules
> pass out log quick on xl0 from any to any keep state
> pass in log quick on xl0 from any to any keep state
> pass out log quick on xl1 from any to any keep state
> pass in log quick on xl1 from any to any keep state
> pass out log quick on xl2 from any to any keep state
> pass in log quick on xl2 from any to any keep state
> pass in quick on lo0 all
> pass out quick on lo0 all

## if all your interfaces are xl{0,1,2} and lo0
pass out log from any to any keep state
pass in log from any to any keep state	

do you block anything?
also use keep state with flags.


> ipnat.rules
> map xl1 192.168.1.0/24 -> 0/32
> map xl2 10.1.0.0/24 -> 0/32
> rdr xl0 213.48.xxx.xxx/32 port 80 -> 10.1.0.3 port
> 8080 tcp
> rdr xl0 213.48.xxx.xxx/32 port 80 -> 10.1.0.3 port
> 8080 udp
> rdr xl1 192.168.xxx.xxx/32 port 80 -> 10.1.0.3 port
> 8080 tcp
> rdr xl1 192.168.xxx.xxx/32 port 80 -> 10.1.0.3 port
> 8080 udp
> rdr xl2 10.1.xxx.xxx/32 port 80 -> 10.1.0.3 port 8080
> tcp
> rdr xl2 10.1.xxx.xxx/32 port 80 -> 10.1.0.3 port 8080
> udp
> rdr xl0 213.48.xxx.xxx/32 port 21 -> 10.1.0.3 port 21
> tcp
> rdr xl0 213.48.xxx.xxx/32 port 21 -> 10.1.0.3 port 21
> udp
> rdr xl1 192.168.xxx.xxx/32 port 21 -> 10.1.0.3 port 21
> tcp
> rdr xl1 192.168.xxx.xxx/32 port 21 -> 10.1.0.3 port 21
> udp
> rdr xl2 10.1.xxx.xxx/32 port 21 -> 10.1.0.3 port 21
> tcp
> rdr xl2 10.1.xxx.xxx/32 port 21 -> 10.1.0.3 port 21
> udp

elaborate on this please?

few maps in here are overlapping.

cheers,
-lou


----

Lou Kamenov	lou at freebsd-bg.org		lou.k at hq.aeye.net
FreeBSD BGUG	http://www.freebsd-bg.org	http://www.aeye.net
Key Fingerprint - 936F F64A AD50 2D27 07E7  6629 F493 95AE A297 084A
One advantage of talking to yourself is that you know at least
somebody's listening. - Franklin P. Jones

More information about the Ukfreebsd mailing list