[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] FTP problems in DMZ with anti-spoofing



Title: [FW1] FTP problems in DMZ with anti-spoofing

Greetings,

I've been having a problem I haven't been able to resolve with my ftp servers in my DMZ. I recently put the anti-spoofing rules on the interfaces and everything works well except for my ftp connections, from the local net.

When I ftp to the external legal address, everything is fine.
If I ftp to the 192.x.x.x address I connect, but cannot get a list.
The log shows no violation of Rule 0, it shows the ftp connection as accepted.

If I remove the anti-spoofing from the interfaces, everything works fine. Attempting to remove just the specifics from either the 10-Net or the DMZ interface also causes failure.

Both NAT addresses and internal ones are allowed on the DMZ interface, same for the local interface.

The rule allowing the ftp's is Source-> Any, Destination-> DmzFtpGroup (external plus internal ips), Service->ftp Accept.

If I do Source-> LocalNet, Destination-> DMZany, Service-> Any Accept, it still fails.


I'm running FW-1 v4.0 on a Solaris box.

Any ideas?

Thanks,
Jim Gadrow
[email protected]