ftp problem
M. Keith Thompson
m.keith.thompson at gmail.com
Wed Jan 6 17:57:49 UTC 2010
The states and tcpdump are with scrub turned off. I tried that and it
did not change things.
---- Begin of pf.conf -------
ext_if="em0"
ext_IP="xxx.yyy.15.125"
local_if="lo0"
net_eng="{xxx.yyy.103.224/27 xxx.yyy.203.248/29 aaa.bbb.44.62/32}"
pingers="{xxx.yyy.24.13/32 xxx.yyy.24.119/32}"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
block in log all
pass on $local_if all
# SSH from NetEng subnet
pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port
22 keep state
# Allow inside network to ping the server
pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep state
# Allow DNS lookups
pass out quick on $ext_if proto udp to any port 53
pass out quick on $ext_if proto tcp to any port 53 keep state
# Allow ftp
pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep state
pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 keep state
pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP
port 20 keep state
--- end of pf.conf ----------------------
Unsuccessful:
self tcp xxx.yyy.15.125:21 <- vvv.zzz.226.92:50187 TIME_WAIT:TIME_WAIT
self tcp xxx.yyy.15.125:20 <- vvv.zzz.226.92:59433 FIN_WAIT_2:FIN_WAIT_2
self tcp xxx.yyy.15.125:20 <- vvv.zzz.226.92:59434 FIN_WAIT_2:FIN_WAIT_2
Successful:
self tcp xxx.yyy.15.125:21 <- vvv.zzz.226.92:50188 FIN_WAIT_2:FIN_WAIT_2
self tcp xxx.yyy.15.125:20 <- vvv.zzz.226.92:59435 FIN_WAIT_2:FIN_WAIT_2
tcpdump:
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
11:40:28.950507 IP (tos 0x0, ttl 52, id 52212, offset 0, flags
[none], proto: TCP (6), length: 60) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: S, cksum 0x57c6 (correct),
1708289474:1708289474(0) win 16384 <mss 1360,nop,wscale
0,nop,nop,timestamp 31320999 0>
11:40:28.950547 IP (tos 0x0, ttl 64, id 13399, offset 0, flags [DF],
proto: TCP (6), length: 60) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
S, cksum 0xea7a (correct), 2617007767:2617007767(0) ack 1708289475 win
65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1091989803 31320999>
11:40:29.118537 IP (tos 0x0, ttl 52, id 52343, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: ., cksum 0xd12f (correct), ack 1 win 17680
<nop,nop,timestamp 31320999 1091989803>
11:40:29.119874 IP (tos 0x10, ttl 64, id 13400, offset 0, flags [DF],
proto: TCP (6), length: 311) xxx.yyy.15.125.ftp >
vvv.zzz.226.92.50187: P 1:260(259) ack 1 win 33026 <nop,nop,timestamp
1091989973 31320999>
11:40:29.288183 IP (tos 0x0, ttl 52, id 52368, offset 0, flags
[none], proto: TCP (6), length: 65) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: P, cksum 0xd78f (correct), 1:14(13) ack 260 win
17680 <nop,nop,timestamp 31320999 1091989973>
11:40:29.288327 IP (tos 0x10, ttl 64, id 13401, offset 0, flags [DF],
proto: TCP (6), length: 91) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
P 260:299(39) ack 14 win 33026 <nop,nop,timestamp 1091990141 31320999>
11:40:29.455835 IP (tos 0x0, ttl 52, id 52406, offset 0, flags
[none], proto: TCP (6), length: 67) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: P, cksum 0xd592 (correct), 14:29(15) ack 299 win
17680 <nop,nop,timestamp 31321000 1091990141>
11:40:29.462032 IP (tos 0x10, ttl 64, id 13402, offset 0, flags [DF],
proto: TCP (6), length: 134) xxx.yyy.15.125.ftp >
vvv.zzz.226.92.50187: P 299:381(82) ack 29 win 33026
<nop,nop,timestamp 1091990315 31321000>
11:40:29.631357 IP (tos 0x0, ttl 52, id 52434, offset 0, flags
[none], proto: TCP (6), length: 57) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: P, cksum 0x2f25 (correct), 29:34(5) ack 381 win
17680 <nop,nop,timestamp 31321000 1091990315>
11:40:29.631411 IP (tos 0x10, ttl 64, id 13403, offset 0, flags [DF],
proto: TCP (6), length: 86) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
P 381:415(34) ack 34 win 33026 <nop,nop,timestamp 1091990484 31321000>
11:40:29.798759 IP (tos 0x0, ttl 52, id 52477, offset 0, flags
[none], proto: TCP (6), length: 58) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: P, cksum 0x3814 (correct), 34:40(6) ack 415 win
17680 <nop,nop,timestamp 31321001 1091990484>
11:40:29.798802 IP (tos 0x10, ttl 64, id 13405, offset 0, flags [DF],
proto: TCP (6), length: 246) xxx.yyy.15.125.ftp >
vvv.zzz.226.92.50187: P 415:609(194) ack 40 win 33026
<nop,nop,timestamp 1091990651 31321001>
11:40:29.969658 IP (tos 0x0, ttl 52, id 52598, offset 0, flags
[none], proto: TCP (6), length: 63) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: P, cksum 0x7df9 (correct), 40:51(11) ack 609 win
17680 <nop,nop,timestamp 31321001 1091990651>
11:40:29.969697 IP (tos 0x10, ttl 64, id 13406, offset 0, flags [DF],
proto: TCP (6), length: 169) xxx.yyy.15.125.ftp >
vvv.zzz.226.92.50187: P 609:726(117) ack 51 win 33026
<nop,nop,timestamp 1091990822 31321001>
11:40:30.139809 IP (tos 0x0, ttl 52, id 52620, offset 0, flags
[none], proto: TCP (6), length: 80) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: P, cksum 0x0f2f (correct), 51:79(28) ack 726 win
17680 <nop,nop,timestamp 31321001 1091990822>
11:40:30.139943 IP (tos 0x10, ttl 64, id 13407, offset 0, flags [DF],
proto: TCP (6), length: 81) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
P, cksum 0xd391 (correct), 726:755(29) ack 79 win 33026
<nop,nop,timestamp 1091990992 31321001>
11:40:30.307710 IP (tos 0x0, ttl 52, id 52658, offset 0, flags
[none], proto: TCP (6), length: 77) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: P, cksum 0x3d00 (correct), 79:104(25) ack 755 win
17680 <nop,nop,timestamp 31321002 1091990992>
11:40:30.307785 IP (tos 0x0, ttl 64, id 13408, offset 0, flags [DF],
proto: TCP (6), length: 64) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59433: S, cksum 0x28f0 (correct),
996672625:996672625(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 1091991160 0,sackOK,eol>
11:40:30.407095 IP (tos 0x10, ttl 64, id 13409, offset 0, flags [DF],
proto: TCP (6), length: 52) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
., cksum 0x8c30 (correct), ack 104 win 33026 <nop,nop,timestamp
1091991260 31321002>
11:40:30.475112 IP (tos 0x0, ttl 52, id 52691, offset 0, flags
[none], proto: TCP (6), length: 60) vvv.zzz.226.92.59433 >
xxx.yyy.15.125.ftp-data: S, cksum 0x4e22 (correct),
425829165:425829165(0) ack 996672626 win 17680 <mss 1360,nop,wscale
1,nop,nop,timestamp 31321002 1091991160>
11:40:30.475147 IP (tos 0x0, ttl 64, id 13410, offset 0, flags [DF],
proto: TCP (6), length: 52) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59433: ., cksum 0x3ce9 (correct), ack 1 win 33026
<nop,nop,timestamp 1091991328 31321002>
11:40:30.475175 IP (tos 0x10, ttl 64, id 13411, offset 0, flags [DF],
proto: TCP (6), length: 82) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
P, cksum 0x2440 (correct), 755:785(30) ack 104 win 33026
<nop,nop,timestamp 1091991328 31321002>
11:40:30.476375 IP (tos 0x8, ttl 64, id 13412, offset 0, flags [DF],
proto: TCP (6), length: 757) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59433: P 1:706(705) ack 1 win 33026 <nop,nop,timestamp
1091991329 31321002>
11:40:30.476386 IP (tos 0x8, ttl 64, id 13413, offset 0, flags [DF],
proto: TCP (6), length: 52) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59433: F, cksum 0x3a26 (correct), 706:706(0) ack 1 win
33026 <nop,nop,timestamp 1091991329 31321002>
11:40:30.476419 IP (tos 0x10, ttl 64, id 13414, offset 0, flags [DF],
proto: TCP (6), length: 74) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
P, cksum 0xa90b (correct), 785:807(22) ack 104 win 33026
<nop,nop,timestamp 1091991329 31321002>
11:40:30.644763 IP (tos 0x0, ttl 52, id 52719, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59433 >
xxx.yyy.15.125.ftp-data: ., cksum 0x9a01 (correct), ack 707 win 8487
<nop,nop,timestamp 31321002 1091991329>
11:40:30.644768 IP (tos 0x0, ttl 52, id 52721, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59433 >
xxx.yyy.15.125.ftp-data: F, cksum 0x989f (correct), 1:1(0) ack 707 win
8840 <nop,nop,timestamp 31321002 1091991329>
11:40:30.644800 IP (tos 0x8, ttl 64, id 13415, offset 0, flags [DF],
proto: TCP (6), length: 52) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59433: ., cksum 0x397e (correct), ack 2 win 33025
<nop,nop,timestamp 1091991497 31321002>
11:40:30.645140 IP (tos 0x0, ttl 52, id 52725, offset 0, flags
[none], proto: TCP (6), length: 60) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: P, cksum 0xf5a8 (correct), 104:112(8) ack 807 win
17680 <nop,nop,timestamp 31321002 1091991328>
11:40:30.645186 IP (tos 0x10, ttl 64, id 13416, offset 0, flags [DF],
proto: TCP (6), length: 82) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
P, cksum 0xabd2 (correct), 807:837(30) ack 112 win 33026
<nop,nop,timestamp 1091991498 31321002>
11:40:30.817661 IP (tos 0x0, ttl 52, id 52751, offset 0, flags
[none], proto: TCP (6), length: 104) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: P 112:164(52) ack 837 win 17680 <nop,nop,timestamp
31321003 1091991498>
11:40:30.817733 IP (tos 0x10, ttl 64, id 13417, offset 0, flags [DF],
proto: TCP (6), length: 64) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
P, cksum 0x7ef6 (correct), 837:849(12) ack 164 win 33026
<nop,nop,timestamp 1091991670 31321003>
11:40:30.986187 IP (tos 0x0, ttl 52, id 52889, offset 0, flags
[none], proto: TCP (6), length: 104) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: P 164:216(52) ack 849 win 17680 <nop,nop,timestamp
31321003 1091991670>
11:40:30.986350 IP (tos 0x10, ttl 64, id 13418, offset 0, flags [DF],
proto: TCP (6), length: 72) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
P, cksum 0xbc39 (correct), 849:869(20) ack 216 win 33026
<nop,nop,timestamp 1091991839 31321003>
11:40:31.178950 IP (tos 0x0, ttl 52, id 52910, offset 0, flags
[none], proto: TCP (6), length: 80) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: P, cksum 0x09ff (correct), 216:244(28) ack 869 win
17680 <nop,nop,timestamp 31321003 1091991839>
11:40:31.179050 IP (tos 0x10, ttl 64, id 13419, offset 0, flags [DF],
proto: TCP (6), length: 81) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
P, cksum 0xce4c (correct), 869:898(29) ack 244 win 33026
<nop,nop,timestamp 1091992031 31321003>
11:40:31.348099 IP (tos 0x0, ttl 52, id 52939, offset 0, flags
[none], proto: TCP (6), length: 104) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: P 244:296(52) ack 898 win 17680 <nop,nop,timestamp
31321004 1091992031>
11:40:31.348182 IP (tos 0x0, ttl 64, id 13420, offset 0, flags [DF],
proto: TCP (6), length: 64) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: S, cksum 0x5b3d (correct),
1882233162:1882233162(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 1091992200 0,sackOK,eol>
11:40:31.447341 IP (tos 0x10, ttl 64, id 13421, offset 0, flags [DF],
proto: TCP (6), length: 52) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
., cksum 0x86cf (correct), ack 296 win 33026 <nop,nop,timestamp
1091992300 31321004>
11:40:31.515626 IP (tos 0x0, ttl 52, id 52961, offset 0, flags
[none], proto: TCP (6), length: 60) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: S, cksum 0xde2d (correct),
1839460650:1839460650(0) ack 1882233163 win 17680 <mss 1360,nop,wscale
1,nop,nop,timestamp 31321004 1091992200>
11:40:31.515661 IP (tos 0x0, ttl 64, id 13422, offset 0, flags [DF],
proto: TCP (6), length: 52) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: ., cksum 0xccf4 (correct), ack 1 win 33026
<nop,nop,timestamp 1091992368 31321004>
11:40:31.515721 IP (tos 0x10, ttl 64, id 13423, offset 0, flags [DF],
proto: TCP (6), length: 112) xxx.yyy.15.125.ftp >
vvv.zzz.226.92.50187: P 898:958(60) ack 296 win 33026
<nop,nop,timestamp 1091992368 31321004>
11:40:31.516254 IP (tos 0x8, ttl 64, id 13424, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 1:1349(1348) ack 1 win 33026
<nop,nop,timestamp 1091992368 31321004>
11:40:31.838063 IP (tos 0x0, ttl 52, id 53010, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0x2832 (correct), ack 1349 win 8320
<nop,nop,timestamp 31321005 1091992368>
11:40:31.838093 IP (tos 0x8, ttl 64, id 13425, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 1349:2697(1348) ack 1 win 33026
<nop,nop,timestamp 1091992690 31321005>
11:40:31.838103 IP (tos 0x8, ttl 64, id 13426, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 2697:4045(1348) ack 1 win 33026
<nop,nop,timestamp 1091992690 31321005>
11:40:31.838437 IP (tos 0x0, ttl 52, id 53011, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.50187 >
xxx.yyy.15.125.ftp: ., cksum 0xc240 (correct), ack 958 win 17680
<nop,nop,timestamp 31321005 1091992368>
11:40:32.006838 IP (tos 0x0, ttl 52, id 53139, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0x1c68 (correct), ack 4045 win 8320
<nop,nop,timestamp 31321005 1091992690>
11:40:32.006866 IP (tos 0x8, ttl 64, id 13427, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 4045:5393(1348) ack 1 win 33026
<nop,nop,timestamp 1091992859 31321005>
11:40:32.006876 IP (tos 0x8, ttl 64, id 13428, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 5393:6741(1348) ack 1 win 33026
<nop,nop,timestamp 1091992859 31321005>
11:40:32.006885 IP (tos 0x8, ttl 64, id 13429, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 6741:8089(1348) ack 1 win 33026
<nop,nop,timestamp 1091992859 31321005>
11:40:32.178238 IP (tos 0x0, ttl 52, id 53161, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0x0e95 (correct), ack 8089 win 7646
<nop,nop,timestamp 31321005 1091992859>
11:40:32.178264 IP (tos 0x8, ttl 64, id 13430, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 8089:9437(1348) ack 1 win 33026
<nop,nop,timestamp 1091993030 31321005>
11:40:32.178283 IP (tos 0x8, ttl 64, id 13431, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 9437:10785(1348) ack 1 win 33026
<nop,nop,timestamp 1091993030 31321005>
11:40:32.178292 IP (tos 0x8, ttl 64, id 13432, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 10785:12133(1348) ack 1 win 33026
<nop,nop,timestamp 1091993030 31321005>
11:40:32.178303 IP (tos 0x8, ttl 64, id 13433, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 12133:13481(1348) ack 1 win 33026
<nop,nop,timestamp 1091993030 31321005>
11:40:32.347763 IP (tos 0x0, ttl 52, id 53188, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0x0361 (correct), ack 10785 win 7646
<nop,nop,timestamp 31321006 1091993030>
11:40:32.347769 IP (tos 0x0, ttl 52, id 53191, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0xfb7a (correct), ack 12133 win 8320
<nop,nop,timestamp 31321006 1091993030>
11:40:32.347792 IP (tos 0x8, ttl 64, id 13434, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 13481:14829(1348) ack 1 win 33026
<nop,nop,timestamp 1091993200 31321006>
11:40:32.347801 IP (tos 0x8, ttl 64, id 13435, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 14829:16177(1348) ack 1 win 33026
<nop,nop,timestamp 1091993200 31321006>
11:40:32.347811 IP (tos 0x8, ttl 64, id 13436, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 16177:17525(1348) ack 1 win 33026
<nop,nop,timestamp 1091993200 31321006>
11:40:32.347826 IP (tos 0x8, ttl 64, id 13437, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 17525:18873(1348) ack 1 win 33026
<nop,nop,timestamp 1091993200 31321006>
11:40:32.347834 IP (tos 0x8, ttl 64, id 13438, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 18873:20221(1348) ack 1 win 33026
<nop,nop,timestamp 1091993200 31321006>
11:40:32.439209 IP (tos 0x0, ttl 52, id 53204, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0xf636 (correct), ack 13481 win 8320
<nop,nop,timestamp 31321006 1091993030>
11:40:32.439234 IP (tos 0x8, ttl 64, id 13439, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 20221:21569(1348) ack 1 win 33026
<nop,nop,timestamp 1091993291 31321006>
11:40:32.516914 IP (tos 0x0, ttl 52, id 53222, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0xeb04 (correct), ack 16177 win 8320
<nop,nop,timestamp 31321006 1091993200>
11:40:32.516938 IP (tos 0x8, ttl 64, id 13441, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 21569:22917(1348) ack 1 win 33026
<nop,nop,timestamp 1091993369 31321006>
11:40:32.516947 IP (tos 0x8, ttl 64, id 13442, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 22917:24265(1348) ack 1 win 33026
<nop,nop,timestamp 1091993369 31321006>
11:40:32.517165 IP (tos 0x0, ttl 52, id 53229, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0xddda (correct), ack 20221 win 7646
<nop,nop,timestamp 31321006 1091993200>
11:40:32.517190 IP (tos 0x8, ttl 64, id 13447, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 24265:25613(1348) ack 1 win 33026
<nop,nop,timestamp 1091993369 31321006>
11:40:32.517202 IP (tos 0x8, ttl 64, id 13448, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 25613:26961(1348) ack 1 win 33026
<nop,nop,timestamp 1091993369 31321006>
11:40:32.609860 IP (tos 0x0, ttl 52, id 53254, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0xd599 (correct), ack 21569 win 8320
<nop,nop,timestamp 31321006 1091993291>
11:40:32.609882 IP (tos 0x8, ttl 64, id 13450, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 26961:28309(1348) ack 1 win 33026
<nop,nop,timestamp 1091993462 31321006>
11:40:32.609893 IP (tos 0x8, ttl 64, id 13451, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 28309:29657(1348) ack 1 win 33026
<nop,nop,timestamp 1091993462 31321006>
11:40:32.685690 IP (tos 0x0, ttl 52, id 53281, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0xc821 (correct), ack 25613 win 7646
<nop,nop,timestamp 31321006 1091993369>
11:40:32.685713 IP (tos 0x8, ttl 64, id 13453, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 29657:31005(1348) ack 1 win 33026
<nop,nop,timestamp 1091993538 31321006>
11:40:32.685722 IP (tos 0x8, ttl 64, id 13454, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 31005:32353(1348) ack 1 win 33026
<nop,nop,timestamp 1091993538 31321006>
11:40:32.686939 IP (tos 0x0, ttl 52, id 53284, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0xc03b (correct), ack 26961 win 8320
<nop,nop,timestamp 31321006 1091993369>
11:40:32.686975 IP (tos 0x8, ttl 64, id 13456, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 32353:33701(1348) ack 1 win 33026
<nop,nop,timestamp 1091993539 31321006>
11:40:32.686986 IP (tos 0x8, ttl 64, id 13457, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 33701:35049(1348) ack 1 win 33026
<nop,nop,timestamp 1091993539 31321006>
11:40:32.778635 IP (tos 0x0, ttl 52, id 53315, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0xb556 (correct), ack 29657 win 8320
<nop,nop,timestamp 31321006 1091993462>
11:40:32.778660 IP (tos 0x8, ttl 64, id 13459, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 35049:36397(1348) ack 1 win 33026
<nop,nop,timestamp 1091993630 31321006>
11:40:32.778669 IP (tos 0x8, ttl 64, id 13460, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 36397:37745(1348) ack 1 win 33026
<nop,nop,timestamp 1091993630 31321006>
11:40:32.854966 IP (tos 0x0, ttl 52, id 53338, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0xaa81 (correct), ack 32353 win 8320
<nop,nop,timestamp 31321007 1091993538>
11:40:32.854988 IP (tos 0x8, ttl 64, id 13462, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 37745:39093(1348) ack 1 win 33026
<nop,nop,timestamp 1091993707 31321007>
11:40:32.854997 IP (tos 0x8, ttl 64, id 13463, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 39093:40441(1348) ack 1 win 33026
<nop,nop,timestamp 1091993707 31321007>
11:40:32.855465 IP (tos 0x0, ttl 52, id 53343, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0xa29a (correct), ack 35049 win 7646
<nop,nop,timestamp 31321007 1091993539>
11:40:32.855495 IP (tos 0x8, ttl 64, id 13465, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 40441:41789(1348) ack 1 win 33026
<nop,nop,timestamp 1091993707 31321007>
11:40:32.948411 IP (tos 0x0, ttl 52, id 53358, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0x9a59 (correct), ack 36397 win 8320
<nop,nop,timestamp 31321007 1091993630>
11:40:32.948463 IP (tos 0x8, ttl 64, id 13467, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 41789:43137(1348) ack 1 win 33026
<nop,nop,timestamp 1091993800 31321007>
11:40:32.948477 IP (tos 0x8, ttl 64, id 13468, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 43137:44485(1348) ack 1 win 33026
<nop,nop,timestamp 1091993800 31321007>
11:40:32.948785 IP (tos 0x0, ttl 52, id 53361, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0x9515 (correct), ack 37745 win 8320
<nop,nop,timestamp 31321007 1091993630>
11:40:32.948813 IP (tos 0x8, ttl 64, id 13470, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 44485:45833(1348) ack 1 win 33026
<nop,nop,timestamp 1091993801 31321007>
11:40:33.023741 IP (tos 0x0, ttl 52, id 53478, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0x8ce2 (correct), ack 40441 win 7646
<nop,nop,timestamp 31321007 1091993707>
11:40:33.023765 IP (tos 0x8, ttl 64, id 13472, offset 0, flags [DF],
proto: TCP (6), length: 1400) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: . 45833:47181(1348) ack 1 win 33026
<nop,nop,timestamp 1091993875 31321007>
11:40:33.023774 IP (tos 0x8, ttl 64, id 13473, offset 0, flags [DF],
proto: TCP (6), length: 752) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: FP 47181:47881(700) ack 1 win 33026
<nop,nop,timestamp 1091993875 31321007>
11:40:33.024116 IP (tos 0x0, ttl 52, id 53481, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0x84fc (correct), ack 41789 win 8320
<nop,nop,timestamp 31321007 1091993707>
11:40:33.118062 IP (tos 0x0, ttl 52, id 53505, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0x7f5b (correct), ack 43137 win 8320
<nop,nop,timestamp 31321007 1091993800>
11:40:33.118068 IP (tos 0x0, ttl 52, id 53510, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0x7775 (correct), ack 45833 win 7646
<nop,nop,timestamp 31321007 1091993800>
11:40:33.198889 IP (tos 0x0, ttl 52, id 53524, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: ., cksum 0x7087 (correct), ack 47882 win 7296
<nop,nop,timestamp 31321007 1091993875>
11:40:33.198894 IP (tos 0x0, ttl 52, id 53525, offset 0, flags
[none], proto: TCP (6), length: 52) vvv.zzz.226.92.59434 >
xxx.yyy.15.125.ftp-data: F, cksum 0x6a7e (correct), 1:1(0) ack 47882
win 8840 <nop,nop,timestamp 31321007 1091993875>
11:40:33.198929 IP (tos 0x8, ttl 64, id 13474, offset 0, flags [DF],
proto: TCP (6), length: 52) xxx.yyy.15.125.ftp-data >
vvv.zzz.226.92.59434: ., cksum 0x0b55 (correct), ack 2 win 33025
<nop,nop,timestamp 1091994051 31321007>
11:41:18.199989 IP (tos 0x0, ttl 52, id 888, offset 0, flags [none],
proto: TCP (6), length: 52) vvv.zzz.226.92.50187 > xxx.yyy.15.125.ftp:
F, cksum 0xc1e3 (correct), 296:296(0) ack 958 win 17680
<nop,nop,timestamp 31321097 1091992368>
11:41:18.200018 IP (tos 0x10, ttl 64, id 13570, offset 0, flags [DF],
proto: TCP (6), length: 52) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
., cksum 0xcfa0 (correct), ack 297 win 33026 <nop,nop,timestamp
1092039040 31321097>
11:41:18.200099 IP (tos 0x10, ttl 64, id 13571, offset 0, flags [DF],
proto: TCP (6), length: 65) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
P, cksum 0x0cd6 (correct), 958:971(13) ack 297 win 33026
<nop,nop,timestamp 1092039040 31321097>
11:41:18.200230 IP (tos 0x10, ttl 64, id 13572, offset 0, flags [DF],
proto: TCP (6), length: 52) xxx.yyy.15.125.ftp > vvv.zzz.226.92.50187:
F, cksum 0xcf92 (correct), 971:971(0) ack 297 win 33026
<nop,nop,timestamp 1092039040 31321097>
11:41:18.366766 IP (tos 0x0, ttl 52, id 919, offset 0, flags [none],
proto: TCP (6), length: 40) vvv.zzz.226.92.50187 > xxx.yyy.15.125.ftp:
R, cksum 0xe896 (correct), 1708289771:1708289771(0) win 0
11:41:18.366772 IP (tos 0x0, ttl 52, id 920, offset 0, flags [none],
proto: TCP (6), length: 40) vvv.zzz.226.92.50187 > xxx.yyy.15.125.ftp:
R, cksum 0xe896 (correct), 1708289771:1708289771(0) win 0
On Wed, Jan 6, 2010 at 11:23 AM, Peter Maxwell <peter at allicient.co.uk> wrote:
> 2010/1/6 M. Keith Thompson <m.keith.thompson at gmail.com>:
>> I have a very screwy problem. I have a pure-ftp server running pf on
>> FreeBSD 7.0. For the most part the server works fine; users upload
>> and download multi-megabyte files daily. However, I have one client
>> (HP-UX) that can not get files larger that 98K. If I turn off pf, it
>> works fine. The pflog does not show any packets from the IP that does
>> not work. I am totally lost; any ideas?
>
>
> Off the top of my head: packet normalisation/scrub directives, the
> other one would be to post your ruleset and a tcpdump of the session
> so folk have something to work with.
>
> Also, what happens to the FTP data and control connections - do they
> just stall or are the RSTs, etc? What does your state table show?
>
More information about the freebsd-pf
mailing list