Problems with ftp/ftp-proxy
J. Martin Petersen
techlists at motrix.dk
Sun Jan 23 10:43:15 PST 2005
Hi
We're trying to get ftp-proxy to work on our FreeBSD 5.3 (RELENG_5_3
with pf from RELENG_5) firewall, but with no luck. Does anyone have a
working pf.conf that they are willing to share?
When I try to connect to an ftp server (ftp2.dk.freebsd.org), active FTP
does not work. We're using a very basic pf.conf:
--#--
mbh_if = "xl0"
mci_if = "xl2"
loo_if = "lo0"
set loginterface $mci_if
nat on $mci_if from $mbh_if:network to any -> ($mci_if) port 10000:61999
rdr on $mbh_if inet proto tcp from $mbh_if:network to any port ftp\
-> 127.0.0.1 port ftp-proxy
block log all
pass log quick on $loo_if all
pass in on $mbh_if from $mbh_if:network to any
pass out on $mbh_if from any to $mbh_if:network keep state
pass out on $mci_if proto tcp from any to any modulate state flags S/SA
pass out on $mci_if proto { udp, icmp } from any to any keep state
pass in log-all on $mci_if inet proto tcp from any port 20 to $mci_if\
user proxy keep state
pass in log-all on $mci_if inet proto tcp from any to ($mci_if) \
port 60000:61999 keep state user proxy
pass out log-all on $mci_if inet proto tcp from ($mci_if) to any \
port { ftp ftp-data } keep state user proxy
--#--
mbh_if is the internal interface and mci_if is the external. I've added
ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u
proxy -m 60000 -M 61999 -t 300 -D 2 -n
to inetd.conf and restarted it (omitting "-n" does not help).
When I try to ftp from a machine on the internal network, it doesn't
work. The debug info from ftp-proxy is:
--#--
Jan 23 16:38:09 fw1 ftp-proxy[932]: accepted connection from
10.2.4.50:1295 to 195.215.30.75:21
Jan 23 16:38:09 fw1 ftp-proxy[932]: local socket is 195.24.1.196:61501
Jan 23 16:38:18 fw1 ftp-proxy[932]: Got a PORT command
Jan 23 16:38:18 fw1 ftp-proxy[932]: client wants us to use 10.2.4.50:5002
Jan 23 16:38:18 fw1 ftp-proxy[932]: we want server to use 195.24.1.196:60430
Jan 23 16:38:18 fw1 ftp-proxy[932]: to server (modified): PORT
195,24,1,196,236,14^M
Jan 23 16:38:18 fw1 ftp-proxy[932]: server listen socket ready
Jan 23 16:39:33 fw1 ftp-proxy[932]: cannot connect data channel
(Operation timed out)
--#--
If I do a tcpdump, I can only see hits on rule 8 and 9, which are "pass"
rules. If I change "log-all" to "log" in pf.conf, I get no output at all
in tcpdump.
What do I need to add/alter to get ftp working? As far as I can see,
I've done (more than) what the pf-faq says in "Issues with ftp".
The tcpdump showed this:
--#--
16:38:09.804164 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: S 1532469226:1532469226(0) win 65535 <mss
1460,nop,nop,sackOK,[|tcp]>
16:38:09.809715 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: S 852511467:852511467(0) ack 1532469227 win 65535
<mss 1460,nop,nop,sackOK>
16:38:09.809775 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 1 win 65535
16:38:09.821915 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1:24(23) ack 1 win 65535
16:38:09.915073 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 24 win 65535
16:38:13.944203 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: P 1:17(16) ack 24 win 65535
16:38:13.948888 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 24:82(58) ack 17 win 65535
16:38:14.045149 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 82 win 65535
16:38:15.255111 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: P 17:28(11) ack 82 win 65535
16:38:15.259782 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 82:127(45) ack 28 win 65535
16:38:15.260961 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 127:201(74) ack 28 win 65535
16:38:15.260991 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 201 win 65535
16:38:15.261007 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 201:208(7) ack 28 win 65535
16:38:15.261024 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 208:243(35) ack 28 win 65535
16:38:15.261038 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 243 win 65535
16:38:15.261050 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 243:296(53) ack 28 win 65535
16:38:15.261061 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 296:347(51) ack 28 win 65535
16:38:15.261073 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 347 win 65480
16:38:15.261084 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 347:403(56) ack 28 win 65535
16:38:15.261095 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 403:453(50) ack 28 win 65535
16:38:15.261108 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 453 win 65374
16:38:15.261121 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 453:506(53) ack 28 win 65535
16:38:15.261131 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 506:559(53) ack 28 win 65535
16:38:15.261145 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 559 win 65268
16:38:15.261157 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 559:612(53) ack 28 win 65535
16:38:15.261168 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 612:665(53) ack 28 win 65535
16:38:15.261182 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 665 win 65162
16:38:15.261192 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 665:715(50) ack 28 win 65535
16:38:15.261202 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 715:765(50) ack 28 win 65535
16:38:15.261214 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 765 win 65062
16:38:15.261225 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 765:817(52) ack 28 win 65535
16:38:15.261235 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 817:875(58) ack 28 win 65535
16:38:15.261248 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 875 win 64952
16:38:15.261259 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 875:928(53) ack 28 win 65535
16:38:15.261268 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 928:980(52) ack 28 win 65535
16:38:15.261282 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 980 win 64847
16:38:15.261292 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 980:1032(52) ack 28 win 65535
16:38:15.261301 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1032:1084(52) ack 28 win 65535
16:38:15.261313 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 1084 win 64743
16:38:15.261397 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1084:1133(49) ack 28 win 65535
16:38:15.261408 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1133:1182(49) ack 28 win 65535
16:38:15.261424 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 1182 win 64645
16:38:15.261435 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1182:1235(53) ack 28 win 65535
16:38:15.261445 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1235:1287(52) ack 28 win 65535
16:38:15.261462 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 1287 win 64540
16:38:15.261472 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1287:1338(51) ack 28 win 65535
16:38:15.261482 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1338:1390(52) ack 28 win 65535
16:38:15.261495 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 1390 win 64437
16:38:15.261505 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1390:1444(54) ack 28 win 65535
16:38:15.261514 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1444:1498(54) ack 28 win 65535
16:38:15.261527 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 1498 win 64329
16:38:15.261538 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1498:1552(54) ack 28 win 65535
16:38:15.261547 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1552:1601(49) ack 28 win 65535
16:38:15.261560 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 1601 win 64226
16:38:15.261570 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1601:1653(52) ack 28 win 65535
16:38:15.261580 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1653:1701(48) ack 28 win 65535
16:38:15.261592 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 1701 win 64126
16:38:18.309202 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: P 28:54(26) ack 1701 win 65535
16:38:18.326871 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1701:1731(30) ack 54 win 65535
16:38:18.328641 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: P 54:60(6) ack 1731 win 65535
16:38:18.336245 rule 8/0(match): pass in on xl2: IP 195.215.30.75.20 >
195.24.1.196.60430: S 2496167856:2496167856(0) win 65535 <mss
1460,nop,nop,sackOK>
16:38:18.336309 rule 8/0(match): pass out on xl2: IP 195.24.1.196.60430
> 195.215.30.75.20: S 4234689438:4234689438(0) ack 2496167857 win 65535
<mss 1460,nop,nop,sackOK>
16:38:18.340280 rule 8/0(match): pass in on xl2: IP 195.215.30.75.20 >
195.24.1.196.60430: . ack 1 win 65535
16:38:18.340382 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1731:1788(57) ack 60 win 65535
16:38:18.340403 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
195.24.1.196.61501: P 1788:1812(24) ack 60 win 65535
16:38:18.340423 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
> 195.215.30.75.21: . ack 1812 win 65535
--#--
Cheers, Martin
More information about the freebsd-pf
mailing list