proftpd and pf weirdness

Valentin Bud valentin.bud at gmail.com
Wed May 7 21:14:14 UTC 2008 

Hello to you all,
 Last week i've begun to have problem with an HUAWEI E220 HSDPA modem
when connecting to proftpd server. First thing i want to mention is that the
thing
that i'll describe here only happens when i connect from that modem.
 First of all the topology of the servers:

ISP----[bridged modem]-----[FreeBSD mpd4+pf]----[FreeBSD proftpd]

the pf rules that redirect traffic to proftpd:

rdr pass on $EXT_IF proto tcp from any to $EXT_IF port 21 -> <DMZ_HOST> port
21
rdr pass on $EXT_IF proto tcp from any to $EXT_IF port 59000:59100 ->
<DMZ_HOST> port 59000:59100

DMZ_HOST (192.168.1.2) being the FreeBSD 6.2-RELEASEp6 box that runs -
ProFTPD Version 1.3.1
no firewall running on DMZ_HOST

here is the relevant ouput that the server gives when the ftp session is
closed:

12.34.56.78 (213.233.102.254[213.233.102.254]) - Entering Passive Mode
(192,168,1,2,230,167).
12.34.56.78 (213.233.102.254[213.233.102.254]) - dispatching POST_CMD
command 'PASV' to mod_sql
12.34.56.78 (213.233.102.254[213.233.102.254]) - dispatching LOG_CMD command
'PASV' to mod_sql
12.34.56.78 (213.233.102.254[213.233.102.254]) - dispatching LOG_CMD command
'PASV' to mod_log
12.34.56.78 (213.233.102.254[213.233.102.254]) - FTP session closed.

tcpdump output from the [mpd4+pf] box:

14:04:58.299572 AF IPv4 (2), length 94: 12.34.56.78.21 >
213.233.102.254.40437: P 261:311(50) ack 92 win 65535
        0x0000:  4500 005a be9c 4000 3f06 0f55 597a d74a  E..Z.. at .?..UYz.J
        0x0010:  d5e9 66fe 0015 9df5 2ded 1879 01dc 346b  ..f.....-..y..4k
        0x0020:  5018 ffff aea7 0000 3232 3720 456e 7465    P.......227.Ente
        0x0030:  7269 6e67 2050 6173 7369 7665 204d 6f64  ring.Passive.Mod
        0x0040:  6520 2831 3932 2c31 3638 2c31 2c32 2c32  e.(192,168,1,2,2
        0x0050:  3330 2c31 3637 292e 0d0a
30,167)...
14:04:58.348823 AF IPv4 (2), length 94: 213.233.102.254.40437 >
12.34.56.78.21: R 92:142(50) ack 261 win 65535
        0x0000:  4500 005a be9c 4000 2806 2655 d5e9 66fe  E..Z.. at .(.&U..f.
        0x0010:  597a d74a 9df5 0015 01dc 346b 2ded 1879  Yz.J......4k-..y
        0x0020:  5014 ffff aeab 0000 3232 3720 456e 7465    P.......227.Ente
        0x0030:  7269 6e67 2050 6173 7369 7665 204d 6f64  ring.Passive.Mod
        0x0040:  6520 2831 3932 2c31 3638 2c31 2c32 2c32  e.(192,168,1,2,2
        0x0050:  3330 2c31 3637 292e 0d0a
30,167)...

The last snippet from tcpdump shows (as far as i know) that the huawei modem
sends an R
and that the server (before) that reset sends the PASV port answer. If i am
not right please correct me.
  The ppp connection made from the modem receives an ip from 172.16/12
private class which gets
nat-ed to the 213.* ip from the logs. If it matters the modem is from
Vodafone.
 I will attach the proftpd config file.

 I think that vodafone does some check on packets and it doesn't like that
the connection to the ftp server
passes through the [mpd4+pf] box. Configuring proftpd on the [mpd4+pf] box
works like a charm. This is a viable
solution but i want to find out what happens. Any hints to dig further are
more than welcomed.
Thank you.

PS: the 12.34.56.78 ip is bogus to protect my server's identity, everything
else is copy paste from
server output.

-- 
Kind Regards,

Valentin Bud

www.syk.ro
www.spreadbsd.org/aff/86/1
www.spreadbsd.org/aff/86/2

valentin [dot] bud [at] gmail [dot] com
valentin [dot] bud [at] dep [dot] upt [dot] ro

More information about the freebsd-pf mailing list