Прошу помощи не могу понять почему к FTP в DMZ не могу подключится из интернета ((
Код: Выделить всё
#!/bin/sh
# reset rules
ipfw -q -f flush
######################## MAIN ########################
ext="em0"
int="em1"
dmz="em2"
cmd="ipfw -q add"
skip="skipto 3000"
######################## REDIRECT PORT ########################
ipfw -q nat 1 config if em0 same_ports unreg_only \
redirect_port tcp 168.17.16.2:21 21 \
redirect_port tcp 168.17.16.2:20 20 \
redirect_port tcp 168.17.16.2:30000-31000 30000-31000 \
redirect_port tcp 168.17.16.3:25 25 \
redirect_port tcp 78.89.70.72:70000 70000
######################## LAN OUT NETWORK ########################
# anti spoofing
$cmd 01 deny ip from any to any not verrevpath in
# allow root ssh
$cmd 05 allow tcp from $ssha to me 7899 in via $ext setup limit src-addr 2
# ban unfriendly icmp
$cmd 025 deny icmp from any to any in via $ext
# enable loopback and local traffic
$cmd 035 allow ip4 from any to any via lo0
$cmd 036 allow ip4 from any to any via $int
# unnat incoming traffic
$cmd 037 nat 1 ip4 from any to any in via $ext
# allow exchange traffic to lan
$cmd 040 allow tcp from any to 78.89.70.65 443
# allow nto traffic to lan
$cmd 046 allow tcp from any to 78.89.70.72 70000
######################## LAN IN NETWORK ########################
$cmd 050 check-state
# nat
$cmd 0200 $skip tcp from any to any out via $ext setup keep-state
$cmd 0210 $skip icmp from any to any out via $ext keep-state
$cmd 0220 $skip udp from any to any out via $ext keep-state
# allow exchange traffic to ext
$cmd 0223 $skip tcp from 78.89.70.65 443 to any
# allow nto traffic to ext
$cmd 0230 $skip tcp from 78.89.70.72 70000 to any
######################## DMZ RULES ########################
# from ext to dmz ftp
$cmd 0240 $skip tcp from any to 168.17.16.2 20,21,30000-31000 in via em0 keep-state
# from ext to dmz exchange edge
$cmd 0241 $skip tcp from any to 168.17.16.3 25 in via em0 keep-state
# from int to dmz ftp
$cmd 0242 allow tcp from any to 168.17.16.2 20,21,30000-31000 keep-state
$cmd 0243 allow tcp from 78.89.70.140 to 168.17.16.2 22 keep-state
$cmd 0244 allow icmp from any to 168.17.16.2 keep-state
$cmd 0245 deny all from 10.0.0.0/8 to 168.17.16.2
# from int to dmz exchange edge
$cmd 0250 allow tcp from 78.89.70.200 to 168.17.16.3 25,50636 keep-state
$cmd 0251 allow tcp from 100.50.40.201 to 168.17.16.3 25,50636 keep-state
$cmd 0252 allow tcp from 78.89.70.140 to 168.17.16.3 3389 keep-state
$cmd 0253 allow icmp from any to 168.17.16.3 keep-state
$cmd 0254 deny all from 10.0.0.0/8 to 168.17.16.3
# from dmz to int ftp
$cmd 0260 deny all from 168.17.16.2 to 10.0.0.0/8
# from dmz to int exchange edge
$cmd 0270 allow tcp from 168.17.16.3 to 78.89.70.65 25 keep-state
$cmd 0271 allow tcp from 168.17.16.3 to 100.50.40.222 25 keep-state
$cmd 0272 allow icmp from 168.17.16.3 to 78.89.70.65 keep-state
$cmd 0273 allow icmp from 168.17.16.3 to 100.50.40.222 keep-state
$cmd 0274 deny all from 168.17.16.3 to 10.0.0.0/8
# from dmz to ext ftp
$cmd 0280 $skip tcp from 168.17.16.2 to any 20,21,53,80,443 in via em2 keep-state
$cmd 0281 $skip udp from 168.17.16.2 to any 53 in via em2 keep-state
# from dmz to ext exchange edge
$cmd 0290 $skip tcp from 168.17.16.3 to any 25,53,80,443 in via em2 setup keep-state
$cmd 0291 $skip udp from 168.17.16.3 to any 53 in via em2 keep-state
######################## DENY RULES ########################
# deny gray networks
$cmd 0300 deny all from 224.0.0.0/3 to any in via $ext
$cmd 0301 deny all from 204.152.64.0/23 to any in via $ext
$cmd 0302 deny all from 192.0.2.0/24 to any in via $ext
$cmd 0303 deny all from 169.254.0.0/16 to any in via $ext
$cmd 0304 deny all from 0.0.0.0/8 to any in via $ext
$cmd 0305 deny all from 10.0.0.0/8 to any in via $ext
$cmd 0306 deny all from 172.16.0.0/12 to any in via $ext
$cmd 0306 deny all from 192.168.0.0/16 to any in via $ext
# deny fragmented packets
$cmd 0310 deny all from any to any frag in via $ext
# deny netbios ports
$cmd 0400 deny tcp from any to any 81 in via $ext
$cmd 0401 deny tcp from any to any 113 in via $ext
$cmd 0402 deny tcp from any to any 137 in via $ext
$cmd 0403 deny tcp from any to any 138 in via $ext
$cmd 0404 deny tcp from any to any 139 in via $ext
# deny all
$cmd 0500 deny log all from any to any in via $ext
$cmd 0510 deny log all from any to any out via $ext
# nat out point
$cmd 3000 nat 1 ip from any to any out via em0
$cmd 5000 allow ip from any to any
# deny all other
$cmd 6000 deny log all from any to any
[code]