ftp-proxy in reverse mode

Gergely CZUCZY phoemix at harmless.hu
Sun Sep 10 12:03:43 PDT 2006 

hello

i've got a bit of trouble with ftp-proxy in reverse mode. it
doesn't connects to the service.

the setup is:
external interface: em0 with address 10.1.0.6

The FTP server is running in a jail.
jail interface: lo1, ftp-jail address: 192.168.0.3

I don't have any blocking rules for the incoming connectin
from em0->lo1(192.168.0.3) in my firewall,.

The ftp-proxy is being run this way from inetd.conf:
ftp             stream  tcp     nowait  root    /usr/libexec/ftp-proxy -R 192.168.0.3:21 -D 3 -u root -v

i've tried without the :21, without -u root, with -u proxy, and also had tried with
the argumetns "-R -R 192.168.0.3 ftp-proxy"
however, i was unable to find out that /ftp-proxy$/ what does mean at the
end of the inetd.conf line, neither manuals helped.

tcpdump on lo1 (the jail if) doesn't report any incoming packets.
tcpdump on em0 (the external if) reports the following:
--- chop with axe here ---
20:32:16.033946 IP 10.1.0.1.54394 > 10.1.0.6.21: S 2387744030:2387744030(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 44584936 0,sackOK,eol>
20:32:16.034024 IP 10.1.0.6.21 > 10.1.0.1.54394: S 2368841291:2368841291(0) ack 2387744031 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 7498506 44584936,sackOK,eol>
20:32:16.034189 IP 10.1.0.1.54394 > 10.1.0.6.21: . ack 1 win 33304 <nop,nop,timestamp 44584937 7498506>
20:32:16.036771 IP 10.1.0.6.21 > 10.1.0.1.54394: F 1:1(0) ack 1 win 33304 <nop,nop,timestamp 7498509 44584937>
20:32:16.036944 IP 10.1.0.1.54394 > 10.1.0.6.21: . ack 2 win 33304 <nop,nop,timestamp 44584939 7498509>
20:32:16.037063 IP 10.1.0.1.54394 > 10.1.0.6.21: F 1:1(0) ack 2 win 33304 <nop,nop,timestamp 44584939 7498509>
20:32:16.037091 IP 10.1.0.6.21 > 10.1.0.1.54394: . ack 2 win 33303 <nop,nop,timestamp 7498509 44584939>
--- chop with axe here ---


as you see on the inetd.conf line, i asked ftp-proxy to be verbose, but
i don't see any messages in debug.log

i've tried to ktrace the inetd process and after it, connect to
the service:
--- chop with axe here ---
# ktrace -d -f inetd.tr -p 17261
# kdump -f inetd.tr  | less
 17261 inetd    RET   select 1
 17261 inetd    CALL  ioctl(0x6,FIONBIO,0xbfbfd5dc)
 17261 inetd    RET   ioctl 0
 17261 inetd    CALL  accept(0x6,0,0)
 17261 inetd    RET   accept 8
 17261 inetd    CALL  ioctl(0x6,FIONBIO,0xbfbfd5dc)
 17261 inetd    RET   ioctl 0
 17261 inetd    CALL  ioctl(0x8,FIONBIO,0xbfbfd5dc)
 17261 inetd    RET   ioctl 0
 17261 inetd    CALL  sigprocmask(0x1,0xbfbfd560,0xbfbfd550)
 17261 inetd    RET   sigprocmask 0
 17261 inetd    CALL  gettimeofday(0x8064124,0)
 17261 inetd    RET   gettimeofday 0
 17261 inetd    CALL  fork
 17261 inetd    RET   fork 17294/0x438e
 17261 inetd    CALL  sigprocmask(0x3,0xbfbfd560,0xbfbfd550)
 17261 inetd    RET   sigprocmask 0
 17261 inetd    PSIG  SIGCHLD caught handler=0x804a288 mask=0x0 code=0x0
 17261 inetd    CALL  write(0x7,0xbfbfd207,0x1)
 17261 inetd    GIO   fd 7 wrote 1 byte
       "C"
 17261 inetd    RET   write 1
 17261 inetd    CALL  sigreturn(0xbfbfd230)
 17261 inetd    RET   sigreturn JUSTRETURN
 17261 inetd    CALL  close(0x8)
 17261 inetd    RET   close 0
 17261 inetd    CALL  select(0x8,0xbfbfe2d0,0,0,0)
 17261 inetd    RET   select 1
 17261 inetd    CALL  ioctl(0x4,FIONREAD,0xbfbfd5e4)
 17261 inetd    RET   ioctl 0
 17261 inetd    CALL  read(0x4,0xbfbfd5e3,0x1)
 17261 inetd    GIO   fd 4 read 1 byte
       "C"
 17261 inetd    RET   read 1
 17261 inetd    CALL  wait4(0xffffffff,0xbfbfd568,0x1,0)
 17261 inetd    RET   wait4 17294/0x438e
 17261 inetd    CALL  wait4(0xffffffff,0xbfbfd568,0x1,0)
 17261 inetd    RET   wait4 -1 errno 10 No child processes
 17261 inetd    CALL  select(0x8,0xbfbfe2d0,0,0,0)
--- chop with axe here ---
i had asked ktrace to follow the child proceses, but as i see
it is missing from here.

So, ftp proxy doesn't forward any connections to the running
ftp service. what am i doing wrong here?

Bye,

Gergely Czuczy
mailto: gergely.czuczy at harmless.hu
PGP: http://phoemix.harmless.hu/phoemix.pgp

Weenies test. Geniuses solve problems that arise.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060910/77f4284f/attachment.pgp

More information about the freebsd-pf mailing list