proftpd and pf weirdness
Valentin Bud
valentin.bud at gmail.com
Wed May 7 21:14:14 UTC 2008
Hello to you all,
Last week i've begun to have problem with an HUAWEI E220 HSDPA modem
when connecting to proftpd server. First thing i want to mention is that the
thing
that i'll describe here only happens when i connect from that modem.
First of all the topology of the servers:
ISP----[bridged modem]-----[FreeBSD mpd4+pf]----[FreeBSD proftpd]
the pf rules that redirect traffic to proftpd:
rdr pass on $EXT_IF proto tcp from any to $EXT_IF port 21 -> <DMZ_HOST> port
21
rdr pass on $EXT_IF proto tcp from any to $EXT_IF port 59000:59100 ->
<DMZ_HOST> port 59000:59100
DMZ_HOST (192.168.1.2) being the FreeBSD 6.2-RELEASEp6 box that runs -
ProFTPD Version 1.3.1
no firewall running on DMZ_HOST
here is the relevant ouput that the server gives when the ftp session is
closed:
12.34.56.78 (213.233.102.254[213.233.102.254]) - Entering Passive Mode
(192,168,1,2,230,167).
12.34.56.78 (213.233.102.254[213.233.102.254]) - dispatching POST_CMD
command 'PASV' to mod_sql
12.34.56.78 (213.233.102.254[213.233.102.254]) - dispatching LOG_CMD command
'PASV' to mod_sql
12.34.56.78 (213.233.102.254[213.233.102.254]) - dispatching LOG_CMD command
'PASV' to mod_log
12.34.56.78 (213.233.102.254[213.233.102.254]) - FTP session closed.
tcpdump output from the [mpd4+pf] box:
14:04:58.299572 AF IPv4 (2), length 94: 12.34.56.78.21 >
213.233.102.254.40437: P 261:311(50) ack 92 win 65535
0x0000: 4500 005a be9c 4000 3f06 0f55 597a d74a E..Z.. at .?..UYz.J
0x0010: d5e9 66fe 0015 9df5 2ded 1879 01dc 346b ..f.....-..y..4k
0x0020: 5018 ffff aea7 0000 3232 3720 456e 7465 P.......227.Ente
0x0030: 7269 6e67 2050 6173 7369 7665 204d 6f64 ring.Passive.Mod
0x0040: 6520 2831 3932 2c31 3638 2c31 2c32 2c32 e.(192,168,1,2,2
0x0050: 3330 2c31 3637 292e 0d0a
30,167)...
14:04:58.348823 AF IPv4 (2), length 94: 213.233.102.254.40437 >
12.34.56.78.21: R 92:142(50) ack 261 win 65535
0x0000: 4500 005a be9c 4000 2806 2655 d5e9 66fe E..Z.. at .(.&U..f.
0x0010: 597a d74a 9df5 0015 01dc 346b 2ded 1879 Yz.J......4k-..y
0x0020: 5014 ffff aeab 0000 3232 3720 456e 7465 P.......227.Ente
0x0030: 7269 6e67 2050 6173 7369 7665 204d 6f64 ring.Passive.Mod
0x0040: 6520 2831 3932 2c31 3638 2c31 2c32 2c32 e.(192,168,1,2,2
0x0050: 3330 2c31 3637 292e 0d0a
30,167)...
The last snippet from tcpdump shows (as far as i know) that the huawei modem
sends an R
and that the server (before) that reset sends the PASV port answer. If i am
not right please correct me.
The ppp connection made from the modem receives an ip from 172.16/12
private class which gets
nat-ed to the 213.* ip from the logs. If it matters the modem is from
Vodafone.
I will attach the proftpd config file.
I think that vodafone does some check on packets and it doesn't like that
the connection to the ftp server
passes through the [mpd4+pf] box. Configuring proftpd on the [mpd4+pf] box
works like a charm. This is a viable
solution but i want to find out what happens. Any hints to dig further are
more than welcomed.
Thank you.
PS: the 12.34.56.78 ip is bogus to protect my server's identity, everything
else is copy paste from
server output.
--
Kind Regards,
Valentin Bud
www.syk.ro
www.spreadbsd.org/aff/86/1
www.spreadbsd.org/aff/86/2
valentin [dot] bud [at] gmail [dot] com
valentin [dot] bud [at] dep [dot] upt [dot] ro
More information about the freebsd-pf
mailing list