Still have ftp-proxy problems - Any help?
Daniel Hartmeier
daniel at benzedrine.cx
Sat Nov 19 00:31:08 PST 2005
On Fri, Nov 18, 2005 at 04:09:27PM -0800, Steven Schoch wrote:
> I may not be the only one with this problem. On Mon, 22 Nov 2004 "J.
> Martin Petersen" <jmp at alvorlig.dk> had a similar problem I found in
> this message:
> http://docs.freebsd.org/cgi/mid.cgi?1101152753.41a241f113332
>
> But there were no answers. Any new answers?
Depends on whether it's the same problem or not, you didn't supply the
same diagnostics.
In Martin's case, the problem was that the ftp-proxy couldn't establish
the data connection to the client, most likely due to his ruleset. The
ftp-proxy sends the TCP SYN to the client, passing by rule
pass on $int_if all
and not creating state. Then the client's SYN+ACK comes back in on
$int_if, passing by rule
pass log on $int_if from "10.1.4.50" modulate state
here the SYN+ACK does get modulated and create state. This doesn't work.
If you want to modulate sequence numbers, you have to do it on the
initial SYN (and create state).
In short, any ruleset that creates state on non-first packets is highly
suspicious. I have no idea why Martin doesn't create state on so many
rules, then just throws in a 'modulate state' on that particular rule.
In general:
a) don't pass without creating state, search for 'pass' rules which
don't also have 'keep state'
b) don't create state on non-first packets, search for 'pass' rules
(applying to TCP connections) which don't contains 'flags S/SA'
It could be an entirely different problem in your case. Martin did
supply many relevant logs, you could do the same :)
Daniel
More information about the freebsd-pf
mailing list