[fli4l] ftp un?==?utf-8?Q?d weitere Fragen nach DHCP?==?utf-8?Q?-Umstellung

Martin martin at mader.info
Do Jan 19 17:43:57 CET 2017 

Hallo Christoph,

hier die Firewall:
  NET1 = internes Netz in dem auch Filezilla vorhanden ist
  NET2 = 2. netz, das nur ins Internet darf aber nicht in NET1
  NET3 = Internetzugang mit DHCP
PF_INPUT_POLICY='REJECT'
PF_INPUT_ACCEPT_DEF='yes'
PF_INPUT_LOG='no' 
PF_INPUT_LOG_LIMIT='3/minute:5' 
PF_INPUT_REJ_LIMIT='1/second:5'
PF_INPUT_UDP_REJ_LIMIT='1/second:5'
PF_INPUT_N='1'  
PF_INPUT_1='IP_NET_1 ACCEPT'
PF_INPUT_2='tmpl:samba DROP NOLOG'
PF_INPUT_2_COMMENT='no samba traffic allowed'
PF_FORWARD_POLICY='REJECT'
PF_FORWARD_ACCEPT_DEF='yes'
PF_FORWARD_LOG='no' 
PF_FORWARD_LOG_LIMIT='3/minute:5'
PF_FORWARD_REJ_LIMIT='1/second:5'
PF_FORWARD_UDP_REJ_LIMIT='1/second:5'
PF_FORWARD_N='4'
PF_FORWARD_1='tmpl:samba DROP'
PF_FORWARD_2='IP_NET_1 IP_NET_2 DROP BIDIRECTIONAL'
PF_FORWARD_3='IP_NET_1 ACCEPT'
PF_FORWARD_4='IP_NET_2 ACCEPT
PF_OUTPUT_POLICY='ACCEPT'
PF_OUTPUT_ACCEPT_DEF='yes'
PF_OUTPUT_LOG='no'
PF_OUTPUT_LOG_LIMIT='3/minute:5'
PF_OUTPUT_REJ_LIMIT='1/second:5'
PF_OUTPUT_UDP_REJ_LIMIT='1/second:5'
PF_OUTPUT_N='0'
PF_POSTROUTING_N='2'
PF_POSTROUTING_1='IP_NET_1 MASQUERADE'
PF_POSTROUTING_2='IP_NET_2 MASQUERADE'
PF_PREROUTING_N='0'
PF_PREROUTING_1='1.2.3.4 dynamic:22 DNAT:@client2'
PF_PREROUTING_CT_ACCEPT_DEF='yes'
PF_PREROUTING_CT_N='2' 
PF_PREROUTING_CT_1='tmpl:ftp IP_NET_3 HELPER:ftp'
#PF_PREROUTING_CT_1='tmpl:ftp if:IP_NET_3_DEV:any HELPER:ftp' (war mal
ein Versuch)
PF_PREROUTING_CT_2='tmpl:ftp any dynamic HELPER:ftp'
PF_OUTPUT_CT_ACCEPT_DEF='yes'
PF_OUTPUT_CT_N='0'
PF_OUTPUT_CT_1='tmpl:ftp HELPER:ftp'
PF_USR_CHAIN_N='0'

In /var/run/dynamic.ip steht die richtige IP.

# iptables -t raw -vnL
Chain PREROUTING (policy ACCEPT 20136 packets, 14M bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 CT         tcp  --  *      *       [IP des Prov.]/19   
0.0.0.0/0            tcp dpt:21 /* PF_PREROUTING_CT_1='tmpl:ftp IP_NET_3
HELPER:ftp' (PLACEHOLDER:1) */ CT helper ftp
    0     0 CT         tcp  --  *      *       0.0.0.0/0           
[meine externe IP]   tcp dpt:21 /* PF_PREROUTING_CT_2='tmpl:ftp any
dynamic HELPER:ftp' (PLACEHOLDER:2) */ CT helper ftp

Chain OUTPUT (policy ACCEPT 777 packets, 92458 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 CT         tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0            tcp dpt:21 /* outbound active FTP traffic */ CT
helper ftp
# iptables -t nat -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 1099 packets, 161K bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 pi-ovpn    all  --  tun+   *       0.0.0.0/0           
0.0.0.0/0            /* if:tun+:any pi-ovpn */
 1127  164K PORTFW     all  --  *      *       0.0.0.0/0           
0.0.0.0/0            /* PORTFW */
# iptables -t nat -vnL PORTFW
Chain PORTFW (1 references)
 pkts bytes target     prot opt in     out     source              
destination

Gruß Martin

Mehr Informationen über die Mailingliste Fli4L