Heloo

My problem situation is:

I've OB 3.6

Two FTP serwers in my network (linux, cyberFTP on win xp)

I've two public IP adreses, one for serwer

One serwer (proftpd) is working. but i can only connect in passive mode
(from windows with SFTP)

The second one is behind binat, because its second company with they
internal router on linux (all is working from lan)

I need to use both servers.
Mayby i should use something else no binat...


My PF

Net="xl0"
Lan="xl1"
VIP="xl2"
Lan2="xl3"

teleprofZ=217.153.216.25 - first serwer on linux
teleprofW=172.17.70.
emtelW=192.168.0.
emtelZ=217.153.216.26 - - second serwer on win xP


scrub in all

nat on $Net from $Lan:network to any -> $Net
nat on $Net from $VIP:network to any -> $Net
nat on $Net from $Lan2:network to any -> $Net
binat on $Net from $emtelW to any -> $emtelZ

#######################FTP
rdr on $Lan proto { tcp, udp } from any to any port 21 -> 127.0.0.1 port
8021
rdr on $VIP proto { tcp, udp } from any to any port 21 -> 127.0.0.1 port
8021
rdr on $Lan2 proto { tcp, udp } from any to any port 21 -> 127.0.0.1
port 8021

rdr on $Net proto { tcp, udp } from any to any port 25 -> $teleprofW port 25
rdr on $Net proto { tcp, udp } from any to any port 143 -> $teleprofW
port 143
rdr on $Net proto { tcp, udp } from any to any port 110 -> $teleprofW
port 110
rdr on $Net proto { tcp, udp } from any to any port 822 -> $teleprofW
port 22
rdr on $Net proto { tcp, udp } from any to any port 995 -> $teleprofW
port 995#TELEPROF
rdr on $Net proto { tcp, udp } from any to any port 80 -> $teleprofW port 80
rdr on $Net proto tcp from any to any port 443 -> $teleprofW port 443

#FTP
rdr on $Net proto tcp from any to any port 825 -> $teleprofW port 825
rdr on $Net proto tcp from any to any port 49152:65535 -> $teleprofW
port 49152:65535
rdr on $Net proto tcp from any to any port 20 -> $teleprofW port 20
#Second FTP
#rdr on $Net proto tcp from any to any port 49152:65535 -> $emtelW port
49152:65535 - its usless

block in on $Net all
block in on $Net proto icmp all
block in on $Net proto { tcp, udp } from any to $Net
block from $Lan:network to $Lan2:network
block from $Lan2:network to $Lan:network
block from $VIP:network to $Lan


#Second ftp
pass in on $Net proto { icmp, tcp, udp} from any to $emtelW
#Second ftp
pass in on $Net proto icmp from 195.94.194.108 to 217.153.216.22
pass in on $Net proto { tcp, udp, icmp } from $tamka to any
#WWW
pass in on $Net proto { tcp, udp } from any to $teleprofW port 80 keep state
pass in on $Net proto { tcp, udp } from any to $teleprofW port 443 keep
state
pass in on $Net proto { tcp, udp } from any to $teleprofW port 993 keep
state
pass in on $Net proto { tcp, udp } from any to $teleprofW port 995 keep
state
pass in on $Net proto { tcp, udp } from any to $teleprofW port 25 keep state
pass in on $Net proto { tcp, udp } from any to $teleprofW port 822 keep
state
pass in on $Net proto { tcp, udp } from any to $teleprofW port 110 keep
statepass in quick on $Net proto tcp from any to $teleprofW port 825
keep state
pass in quick on $Net proto tcp from any to $teleprofW port 20 keep state
pass in quick on $Net proto tcp from any to $teleprofW port > 49151 keep
state
#Second Ftp
pass in quick on $Net proto tcp from any to $emtelW port > 49151 keep state

pass out quick on $Lan proto tcp from any to $teleprofW port 825 keep state
pass out quick on $Lan proto tcp from any to $teleprofW port 20 keep state
pass out quick on $Lan proto tcp from any to $teleprofW port > 49151
keep state
#Second Ftp
pass out quick on $Lan2 proto tcp from any to $emtelW port > 49151 keep
state

pass out on $Net inet proto { udp, icmp } all keep state
pass out on $Net inet proto tcp all flags S/SA keep state

pass quick on lo0 all

#FTP

pass in quick on $Net proto tcp from any to $teleprofW port 825 keep state
:network


Thnkyou for any ideas to improve security of my PF

Morty