bridging firewall => proftpd issue.

Dave Hart davehart at gmail.com
Wed Jul 21 03:50:11 PDT 2004 

CPU Customer Support <support at cpu-net.com> wrote:
[...]
> Bridging firewall running FreeBSD 4.9 compiled for the security branch,
> and IPFW.  It seems that just as I installed this firewall, a customer
> is no longer able to ftp into our main Redhat machine.  
[...]
> It looks at first like a passive/active issue, but, I've
> opened the appropriate ports on the firewall, and even assigned the
> passive ports in Proftpd.  He has tried passive and active modes both,
> with the same results.  Mind you all other customers do not have any
> issues.
> 
> Session Transcript:
> 
> Jul 19 17:24:04 host04 proftpd[32507]: cpu-net.com
>         (70-240-21-3.ded.swbell.net[70.240.21.3]) - Refused PORT
>         192,168,100,3,8,118 (address mismatch)
> Jul 19 17:24:13 host04 proftpd[32507]: cpu-net.com
>         (70-240-21-3.ded.swbell.net[70.240.21.3]) - FTP session closed.

It does as you say look like an active/passive issue, as you put it,
or as I like to put it, an example of how people installing NATs break
end-to-end connectivity.  Curious, then, that you only supply logs of
an active attempt, which is bound to fail with the previously-noted
192.168.100.3:118 address in the PORT command.

> The ip range that he's coming from was just recently issued by SBC
> recently.  I've also tried opening all ports and ips to this ip address
> for him.  To no avail.
> 
> The customer did not have any issues prior to installing the Freebsd
> firewall/bridge.  He was also using the current ip address prior as
> well.

OK, I find this interesting.  I'm a dirty bastard so I happened to
remember that 69.0.0.0/8 was recently allocated, so I dug and verified
70.0.0.0/8 is also newly assigned.  It was a "bogon" until 15 January
2004.

http://www.apnic.net/mailing-lists/apops/archive/2004/01/msg00007.html

Perhaps some piece of equipment along the path is attempting to filter
bogons and not being kept up to date with IP allocations.  Maybe not,
but since the IPs are so green I thought I should toss it out there
even with the apparently obvious NAT-sucks-by-design FTP PORT problem.

Cheers,
Dave Hart

More information about the freebsd-isp mailing list