pf + ftpd: Socket error (Connection refused)

Kyrre Nygård kyrreny at broadpark.no
Fri Apr 6 15:04:09 UTC 2007 

At 14:01 06.04.2007, Kyrre Nygård wrote:

>Hello!
>
>My FreeBSD server (HTTP, SMTP, PF, NAT etc.) is 
>running its native ftpd along with pf and its 
>ftp-proxy. But after a recent make world, 
>outsiders could no longer connect to this ftpd:
>
>    <--- 227 Entering Passive Mode (80,204,208,30,208,212)
>    ---- Connecting data socket to (80.204.208.30) port 53460
>    **** Socket error (Connection refused)
>
>Nor with active mode:
>
>    <--- 200 PORT command successful.
>    ---> LIST
>
>My server's external interface is 80.204.208.30 
>(ADSL), and my internal interface is 
>192.168.187.1, which connects to my workstation 192.168.187.2.
>
>All works well, except ftpd. My pf.conf was 
>inspired by http://www.openbsd.org/faq/pf/example1.html
>
>    ##### /etc/pf.conf
>
>    ext_if="rl0"
>    int_if="ep0"
>
>    set block-policy return
>
>    set skip on { lo }
>
>    scrub in
>
>    nat on $ext_if from $int_if:network to any -> ($ext_if)
>
>    nat-anchor "ftp-proxy/*"
>    rdr-anchor "ftp-proxy/*"
>
>    rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
>    rdr on $ext_if proto tcp from any to any 
> port 53333:55555 -> 192.168.187.2 port 53333:55555
>
>    block in
>
>    pass quick on $int_if
>
>    pass out keep state
>
>    anchor "ftp-proxy/*"
>
>    antispoof quick for { lo $int_if }
>
>    pass in on $ext_if inet proto tcp from any 
> to ($ext_if) port { 21, 22, 25, 53, 80, 110, 113, 143 } keep state
>    pass in on $ext_if inet proto udp from any to ($ext_if) port 53 keep state
>
>    pass in inet proto icmp from any to any keep state
>
>    pass in on $ext_if inet proto tcp from any 
> to any port 53333:55555 keep state
>
>Any suggestions to improve or simplify my 
>ruleset are warmly welcomed. Ffor instance, why 
>does it need 3 instances of what seems like the 
>same thing? nat-anchor "ftp-proxy/*", rdr-anchor 
>"ftp-proxy/*" and then anchor "ftp-proxy/*"?
>
>    ##### /etc/inetd.conf
>
>    ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
>    ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
>
>Thanks a lot for your time.
>
>--Kyrre


Problem solved, I just disabled ftp-proxy (guess 
I didn't need it) and started forwarding just 
53333 to 192.168.187.2 instead of the entire 
range. 53333:55555 were my 
net.inet.ip.portrange.hifirst and 
net.inet.ip.portrange.hilast, so the way things 
are now, ftpd has free access to 53334:55555, and it seems quite content.

Thanks,
Kyrre

More information about the freebsd-questions mailing list