Ftp + pf + Two ISP ---> no luck

Subscriber ml-lists at agoris.net.ua
Thu Oct 21 14:47:50 UTC 2010 

Hi All.

First of all sorry for my bad English.

I have some problem with two ISP and ftp service on FreeBSD box. A
few days I try to resolve the problem, but no luck. Googling does not
help me to. My brain soon blowup. So…. pls help me.

I want, that my ftp service was accessible from ISP1 and ISP2. I can
log in my ftp from outside, but when I try to download files, or
opening the folders with big number of files, my server is "freeze",
and download newer happened. Some times ftp-server "unfreez" for very
short time, at this moment:

load averages:  9.24,  2.69,  1.18
36 processes:  7 running, 29 sleeping
CPU:  0.0% user,  0.0% nice,  0.0% system, 99.9% interrupt,  0.1% idle
Mem: 24M Active, 350M Inact, 75M Wired, 14M Cache, 60M Buf, 30M Free
Swap: 512M Total, 32K Used, 512M Free

In the ftp-server logs (vsftpd) I see next:

======= start cut of log ====================
Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client
"ip_was_replaced", "PASV"
Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client
"ip_was_replaced", "227 Entering Passive Mode
(xxx,xxx,xxx,136,195,80)."
Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client
"ip_was_replaced", "RETR
Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe"
Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client
"ip_was_replaced", "150 Opening BINARY mode data connection for
Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe (1235728
bytes)."
Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client
"ip_was_replaced", "426 Failure writing network stream."
Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FAIL DOWNLOAD: Client
"ip_was_replaced",
"/pub/drivers/intel/Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe",
33580 bytes, 0.86Kbyte/sec
Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP command: Client
"ip_was_replaced", "????ABOR"
Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client
"ip_was_replaced", "225 No transfer to ABOR."

and so on...
======= end cut of log ====================

About my system:
# uname -rsm
FreeBSD 8.1-RELEASE i386

Ftp servers in passive mode:
vsftpd-2.3.2 (Listen on port 21)
proftpd-1.3.3a (Listen on port 2121)

pf - as firewall, kernel compiled with:
device          pf
device          pflog
options         ALTQ
options         ALTQ_CBQ
options         ALTQ_RED
options         ALTQ_RIO
options         ALTQ_HFSC
options         ALTQ_CDNR
options         ALTQ_PRIQ
options         ALTQ_NOPCC

my pf.conf:
=======start of pf.conf ====================
# macros
# internal interface
int_if = "fxp0"

ext_if = "{ fxp1, fxp2 }"

# interface to isp1 and isp2
ext_if1 = "fxp1"
ext_if2 = "fxp2"

#gateway for isp1 and isp2
ext_gw1 = "xxx.xxx.xxx.129"
ext_gw2 = "xxx.xxx.xxx.3"

# ftp ports
ftp_serv = "{ 21, 2121, 50000:50100 }"

icmp_types = "{ echoreq }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8 }"
ftp_allowed_ip = "{ xxx.xxx.xxx.xxx }"

# options
set block-policy drop
#set loginterface $ext_if

# scrub
scrub in all
# nat
nat on $ext_if1 inet from $int_if:network to any -> ($ext_if1)
nat on $ext_if2 inet from $int_if:network to any -> ($ext_if2)

# filter rules
block all
block in quick on $ext_if inet proto udp from any port 137:139 \
        to any port 137:139
block log on $ext_if all

pass quick on lo0 all

block in quick on $ext_if from $priv_nets to any
block out quick on $ext_if from any to $priv_nets

pass out on $ext_if1 inet from $ext_if1 to any
pass out on $ext_if2 inet from $ext_if2 to any
pass out route-to ($ext_if2 $ext_gw2) inet from ($ext_if2) keep state
pass out route-to ($ext_if1 $ext_gw1) inet from ($ext_if1) keep state

# icmp rules
pass in quick on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
    proto icmp from any to $ext_if1 icmp-type $icmp_types keep state
pass in quick on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \
    proto icmp from any to $ext_if2 icmp-type $icmp_types keep state
pass out quick inet proto icmp all keep state

# for local network out
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

#ftp service
pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
    proto tcp from $ftp_allowed_ip to ($ext_if1) \
    port $ftp_serv flags S/SA keep state

pass in on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \
    proto tcp from $ftp_allowed_ip to ($ext_if2) \
    port $ftp_serv flags S/SA keep state

pass out quick on $ext_if proto tcp all modulate state flags S/SA
pass out quick on $ext_if proto { udp, icmp } all keep state

=======-end of pf.conf ====================

If I replace rule
pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
    proto tcp from $ftp_allowed_ip to ($ext_if1) \
    port $ftp_serv flags S/SA keep state

to
pass in on $ext_if1 inet \
    proto tcp from $ftp_allowed_ip to ($ext_if1) \
    port $ftp_serv flags S/SA keep state

then ftp-server accessible from ISP1, but from ISP2 - no.


-- 
Best regards,
 Subscriber                          mailto:ml-lists at agoris.net.ua

More information about the freebsd-pf mailing list