Problems with ftp/ftp-proxy

Nick Buraglio nick at buraglio.com
Mon Jan 24 06:25:28 PST 2005 

I have never used the ftp-proxy with the "user proxy" additions, but 
I've been using it successfully (under openbsd) in many locations with 
this setup (straight from the man page):

/etc/inetd.conf :
ftp-proxy       stream  tcp     nowait  root    /usr/libexec/ftp-proxy  
ftp-proxy

/etc/pf.conf :

-- snip --
# NAT Rules

nat on $ext_if from $internal_net to any -> ($ext_if)

# Redirect Rules
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

-- snip--

Granted my setups are probably much more simple, there is a default 
pass all, aside from the captive portal tables and altq stuff (these 
are not really firewalls as much as traffic cop boxes at apartment 
campuses and hotspots).

I'm actually putting my first freebsd box in with the same setup this 
week, but so far testing using ftp-proxy, altq, pf and freebsd 5.3 has 
been good.

nb

On Jan 23, 2005, at 12:43 PM, J. Martin Petersen wrote:

> Hi
>
> We're trying to get ftp-proxy to work on our FreeBSD 5.3 (RELENG_5_3
> with pf from RELENG_5) firewall, but with no luck. Does anyone have a
> working pf.conf that they are willing to share?
>
> When I try to connect to an ftp server (ftp2.dk.freebsd.org), active 
> FTP
> does not work. We're using a very basic pf.conf:
> --#--
> mbh_if = "xl0"
> mci_if = "xl2"
> loo_if = "lo0"
>
> set loginterface $mci_if
>
> nat on $mci_if from $mbh_if:network to any -> ($mci_if) port 
> 10000:61999
> rdr on $mbh_if inet proto tcp from $mbh_if:network to any port ftp\
>      -> 127.0.0.1 port ftp-proxy
>
> block log all
>
> pass log quick on $loo_if all
> pass in  on $mbh_if from $mbh_if:network to any
> pass out on $mbh_if from any to $mbh_if:network keep state
> pass out on $mci_if proto tcp from any to any modulate state flags S/SA
> pass out on $mci_if proto { udp, icmp } from any to any keep state
>
> pass in  log-all on $mci_if inet proto tcp from any port 20 to $mci_if\
>      user proxy keep state
> pass in  log-all on $mci_if inet proto tcp from any to ($mci_if) \
>      port 60000:61999 keep state user proxy
> pass out log-all on $mci_if inet proto tcp from ($mci_if) to any \
>      port { ftp ftp-data } keep state user proxy
> --#--
>
> mbh_if is the internal interface and mci_if is the external. I've added
> 	ftp-proxy	stream	tcp	nowait	root	/usr/libexec/ftp-proxy	ftp-proxy -u
> proxy -m 60000 -M 61999 -t 300 -D 2 -n
> to inetd.conf and restarted it (omitting "-n" does not help).
>
> When I try to ftp from a machine on the internal network, it doesn't
> work. The debug info from ftp-proxy is:
> --#--
> Jan 23 16:38:09 fw1 ftp-proxy[932]: accepted connection from
> 10.2.4.50:1295 to 195.215.30.75:21
> Jan 23 16:38:09 fw1 ftp-proxy[932]: local socket is 195.24.1.196:61501
> Jan 23 16:38:18 fw1 ftp-proxy[932]: Got a PORT command
> Jan 23 16:38:18 fw1 ftp-proxy[932]: client wants us to use 
> 10.2.4.50:5002
> Jan 23 16:38:18 fw1 ftp-proxy[932]: we want server to use 
> 195.24.1.196:60430
> Jan 23 16:38:18 fw1 ftp-proxy[932]: to server (modified): PORT
> 195,24,1,196,236,14^M
> Jan 23 16:38:18 fw1 ftp-proxy[932]: server listen socket ready
> Jan 23 16:39:33 fw1 ftp-proxy[932]: cannot connect data channel
> (Operation timed out)
> --#--
>
> If I do a tcpdump, I can only see hits on rule 8 and 9, which are 
> "pass"
> rules. If I change "log-all" to "log" in pf.conf, I get no output at 
> all
> in tcpdump.
>
> What do I need to add/alter to get ftp working? As far as I can see,
> I've done (more than) what the pf-faq says in "Issues with ftp".
>
> The tcpdump showed this:
> --#--
> 16:38:09.804164 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: S 1532469226:1532469226(0) win 65535 <mss
> 1460,nop,nop,sackOK,[|tcp]>
> 16:38:09.809715 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: S 852511467:852511467(0) ack 1532469227 win 65535
> <mss 1460,nop,nop,sackOK>
> 16:38:09.809775 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 1 win 65535
> 16:38:09.821915 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1:24(23) ack 1 win 65535
> 16:38:09.915073 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 24 win 65535
> 16:38:13.944203 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: P 1:17(16) ack 24 win 65535
> 16:38:13.948888 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 24:82(58) ack 17 win 65535
> 16:38:14.045149 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 82 win 65535
> 16:38:15.255111 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: P 17:28(11) ack 82 win 65535
> 16:38:15.259782 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 82:127(45) ack 28 win 65535
> 16:38:15.260961 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 127:201(74) ack 28 win 65535
> 16:38:15.260991 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 201 win 65535
> 16:38:15.261007 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 201:208(7) ack 28 win 65535
> 16:38:15.261024 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 208:243(35) ack 28 win 65535
> 16:38:15.261038 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 243 win 65535
> 16:38:15.261050 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 243:296(53) ack 28 win 65535
> 16:38:15.261061 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 296:347(51) ack 28 win 65535
> 16:38:15.261073 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 347 win 65480
> 16:38:15.261084 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 347:403(56) ack 28 win 65535
> 16:38:15.261095 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 403:453(50) ack 28 win 65535
> 16:38:15.261108 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 453 win 65374
> 16:38:15.261121 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 453:506(53) ack 28 win 65535
> 16:38:15.261131 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 506:559(53) ack 28 win 65535
> 16:38:15.261145 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 559 win 65268
> 16:38:15.261157 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 559:612(53) ack 28 win 65535
> 16:38:15.261168 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 612:665(53) ack 28 win 65535
> 16:38:15.261182 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 665 win 65162
> 16:38:15.261192 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 665:715(50) ack 28 win 65535
> 16:38:15.261202 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 715:765(50) ack 28 win 65535
> 16:38:15.261214 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 765 win 65062
> 16:38:15.261225 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 765:817(52) ack 28 win 65535
> 16:38:15.261235 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 817:875(58) ack 28 win 65535
> 16:38:15.261248 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 875 win 64952
> 16:38:15.261259 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 875:928(53) ack 28 win 65535
> 16:38:15.261268 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 928:980(52) ack 28 win 65535
> 16:38:15.261282 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 980 win 64847
> 16:38:15.261292 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 980:1032(52) ack 28 win 65535
> 16:38:15.261301 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1032:1084(52) ack 28 win 65535
> 16:38:15.261313 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 1084 win 64743
> 16:38:15.261397 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1084:1133(49) ack 28 win 65535
> 16:38:15.261408 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1133:1182(49) ack 28 win 65535
> 16:38:15.261424 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 1182 win 64645
> 16:38:15.261435 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1182:1235(53) ack 28 win 65535
> 16:38:15.261445 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1235:1287(52) ack 28 win 65535
> 16:38:15.261462 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 1287 win 64540
> 16:38:15.261472 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1287:1338(51) ack 28 win 65535
> 16:38:15.261482 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1338:1390(52) ack 28 win 65535
> 16:38:15.261495 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 1390 win 64437
> 16:38:15.261505 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1390:1444(54) ack 28 win 65535
> 16:38:15.261514 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1444:1498(54) ack 28 win 65535
> 16:38:15.261527 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 1498 win 64329
> 16:38:15.261538 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1498:1552(54) ack 28 win 65535
> 16:38:15.261547 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1552:1601(49) ack 28 win 65535
> 16:38:15.261560 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 1601 win 64226
> 16:38:15.261570 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1601:1653(52) ack 28 win 65535
> 16:38:15.261580 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1653:1701(48) ack 28 win 65535
> 16:38:15.261592 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 1701 win 64126
> 16:38:18.309202 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: P 28:54(26) ack 1701 win 65535
> 16:38:18.326871 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1701:1731(30) ack 54 win 65535
> 16:38:18.328641 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: P 54:60(6) ack 1731 win 65535
> 16:38:18.336245 rule 8/0(match): pass in on xl2: IP 195.215.30.75.20 >
> 195.24.1.196.60430: S 2496167856:2496167856(0) win 65535 <mss
> 1460,nop,nop,sackOK>
> 16:38:18.336309 rule 8/0(match): pass out on xl2: IP 195.24.1.196.60430
>  > 195.215.30.75.20: S 4234689438:4234689438(0) ack 2496167857 win 
> 65535
> <mss 1460,nop,nop,sackOK>
> 16:38:18.340280 rule 8/0(match): pass in on xl2: IP 195.215.30.75.20 >
> 195.24.1.196.60430: . ack 1 win 65535
> 16:38:18.340382 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1731:1788(57) ack 60 win 65535
> 16:38:18.340403 rule 9/0(match): pass in on xl2: IP 195.215.30.75.21 >
> 195.24.1.196.61501: P 1788:1812(24) ack 60 win 65535
> 16:38:18.340423 rule 9/0(match): pass out on xl2: IP 195.24.1.196.61501
>  > 195.215.30.75.21: . ack 1812 win 65535
> --#--
>
> Cheers, Martin
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list