Hi
Hi, I have a firewall setup with EXT, DMZ and internal network. The DMZ houses a webserver and ftp server. I can access the webserver and ftp server from the internet but only the web server from internal. The ftp server authenticates but can't open return ports back to internal. My current setup on FW_FORWARD is like this:
FW_FORWARD="192.168.1.0/24,192.168.2.2,tcp,80 192.168.1.0/24,192.168.2.2,tcp,21"
I have tried various other settings and I even tried adding
192.168.2.2,192.168.1.0/24,tcp
to allow the return traffic on any port but I cant get it to work. How can I get this to work?
ftp is a bit a tricky protocol. I don't know about suse firewall, I just can give you general tips. I hope they will help You must distinct between active ftp or passive ftp. Since you're running iptables (suse firewall uses iptables) you probably will be using passive ftp. In that case you should open at least these ports from LAN -> DMZ src port dst port iptables match -m 1024: 21 -m --state NEW, ESTABLISHED 1024: all -m --state ESTABLISHED, RELATED from DMZ -> LAN src port dst port iptables match -m 21 1024: -m --state ESTABLISHED all 1024: -m --state ESTABLISHED the iptables target of course is always -j ACCEPT. Port 21 is ftp control port. Port 20 usually is ftp-data port. Using passive ftp the data port is negotiated between the ftp server and the client. Thus, ftp data src port can be above 1024. HTH Philipp