misc/77089: natd ignores -u with passive FTP

Peter Much pmc at citylink.dinoex.sub.org
Thu Feb 3 22:20:18 PST 2005 

>Number:         77089
>Category:       misc
>Synopsis:       natd ignores -u with passive FTP
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 04 06:20:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Peter Much
>Release:        FreeBSD 5.3-RELEASE-p4 i386
>Organization:
none
>Environment:
System: FreeBSD edge.oper.dinoex.org 5.3-RELEASE-p4 FreeBSD 5.3-RELEASE-p4 #4: Sun Jan 30 21:53:17 CET 2005 root at edge.oper.dinoex.org:/usr/src/sys/i386/compile/E1R53V1 i386


	ipfw, natd
>Description:

I run unregistered and registered ip adresses. All of them go thru natd
on their way to the internet. On the registerd ip I run a ftp-server.
This ftp-server cannot be accessed with passive ftp from a client on
the internet. I use option -u for the natd. Natd does not change the
registered ip adresses of the packets from my ftpserver, but it seems
to change the port that server and client want to use for transfers.

>How-To-Repeat:

tun0 is my way out to the internet for unregistered ip-adresses. This is my
defaultroute, and natd shall work there.
The registered ip-adresses also follow the defaultroute to tun0,
and then "ipfw fwd" rules bring them on the way to tun1.
If these "fwd" rules happen to be BEFORE the natd rule, then passive ftp
works. If they appear AFTER the natd rule, it does not work anymore.

-- how I invoke natd:

# ps ax | grep natd
 393  ??  Ss     0:38.06 /sbin/natd -u -s -m -dynamic -n tun0

-- and from ipfw:

# ipfw list 3000
03000 divert 8668 ip from any to any via tun0

-- now, when I branch off the passive ftp BEFORE rule 3000, it works ok:

# ipfw add 1 allow log ip from 213.6.30.248 to <my-ftpserver-ip>
# ipfw add 2999 fwd 10.1.0.120 log ip from <my-ftpserver-ip> to not 192.168.98.0/23

Feb  4 04:45:57 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 <my-ftpserver-ip>:21 in via tun1
Feb  4 04:45:57 <security.info> edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP <my-ftpserver-ip>:21 213.6.30.248:1076 out via tun0
Feb  4 04:45:57 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1079 <my-ftpserver-ip>:63536 in via tun1
Feb  4 04:45:57 <security.info> edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP <my-ftpserver-ip>:63536 213.6.30.248:1079 out via tun0
Feb  4 04:45:57 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 <my-ftpserver-ip>:21 in via tun1
Feb  4 04:45:58 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1079 <my-ftpserver-ip>:63536 in via tun1
Feb  4 04:45:58 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 <my-ftpserver-ip>:21 in via tun1
Feb  4 04:45:58 <security.info> edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP <my-ftpserver-ip>:21 213.6.30.248:1076 out via tun0
Feb  4 04:45:58 <security.info> edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP <my-ftpserver-ip>:63536 213.6.30.248:1079 out via tun0
Feb  4 04:45:58 <security.info> edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP <my-ftpserver-ip>:21 213.6.30.248:1076 out via tun0
Feb  4 04:45:58 <security.info> edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP <my-ftpserver-ip>:63536 213.6.30.248:1079 out via tun0
Feb  4 04:45:58 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 <my-ftpserver-ip>:21 in via tun1
Feb  4 04:45:58 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1079 <my-ftpserver-ip>:63536 in via tun1
Feb  4 04:45:58 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1079 <my-ftpserver-ip>:63536 in via tun1
Feb  4 04:45:58 <security.info> edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP <my-ftpserver-ip>:63536 213.6.30.248:1079 out via tun0
Feb  4 04:45:58 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 <my-ftpserver-ip>:21 in via tun1

One can see here: the ftp-client 213.6.30.248 comes in thru tun1 and reaches my server, they
agree on using port 63536 to do the actual transfer. 
This is also said in the logfile written by ftpd:

Feb  4 04:45:57 <ftp.debug> oper ftpd[96264]: command: EPSV
Feb  4 04:45:57 <ftp.debug> oper ftpd[96264]: <--- 229 
Feb  4 04:45:57 <ftp.debug> oper ftpd[96264]: Entering Extended Passive Mode (|||63536|)
Feb  4 04:45:57 <ftp.debug> oper ftpd[96264]: command: LIST
Feb  4 04:45:57 <ftp.debug> oper ftpd[96264]: <--- 150 
Feb  4 04:45:57 <ftp.debug> oper ftpd[96264]: Opening ASCII mode data connection for '/bin/ls'.
Feb  4 04:45:57 <ftp.debug> oper ftpd[96264]: <--- 226 
Feb  4 04:45:57 <ftp.debug> oper ftpd[96264]: Transfer complete.

-- but when I branch it off AFTER rule 3000, it does not work anymore:

# ipfw delete 2999
# ipfw add 3001 fwd 10.1.0.120 log ip from <my-ftpserver-ip> to not 192.168.98.0/23

Feb  4 04:46:40 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 <my-ftpserver-ip>:21 in via tun1
Feb  4 04:46:40 <security.info> edge kernel: ipfw: 3001 Forward to 10.1.0.120 TCP <my-ftpserver-ip>:21 213.6.30.248:1076 out via tun0
Feb  4 04:46:40 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1080 <my-ftpserver-ip>:52711 in via tun1
Feb  4 04:46:40 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 <my-ftpserver-ip>:21 in via tun1
Feb  4 04:46:43 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1080 <my-ftpserver-ip>:52711 in via tun1
Feb  4 04:46:46 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1080 <my-ftpserver-ip>:52711 in via tun1
Feb  4 04:46:49 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1080 <my-ftpserver-ip>:52711 in via tun1
Feb  4 04:46:53 <security.info> edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1080 <my-ftpserver-ip>:52711 in via tun1
Feb  4 04:47:14 <security.info> edge last message repeated 3 times

Now, the client tries to connect to port 52711 to do the transfer, and does not get an answer there.
And the ftpd log says that ftpd actually did want to use port 50334.

Feb  4 04:46:40 <ftp.debug> oper ftpd[96264]: command: EPSV
Feb  4 04:46:40 <ftp.debug> oper ftpd[96264]: <--- 229 
Feb  4 04:46:40 <ftp.debug> oper ftpd[96264]: Entering Extended Passive Mode (|||50334|)

>Fix:

This can be workarounded by different arrangement of the rules in the ipfw. 

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list