pf + ftpd: Socket error (Connection refused)
Kyrre Nygård
kyrreny at broadpark.no
Fri Apr 6 15:04:09 UTC 2007
At 14:01 06.04.2007, Kyrre Nygård wrote:
>Hello!
>
>My FreeBSD server (HTTP, SMTP, PF, NAT etc.) is
>running its native ftpd along with pf and its
>ftp-proxy. But after a recent make world,
>outsiders could no longer connect to this ftpd:
>
> <--- 227 Entering Passive Mode (80,204,208,30,208,212)
> ---- Connecting data socket to (80.204.208.30) port 53460
> **** Socket error (Connection refused)
>
>Nor with active mode:
>
> <--- 200 PORT command successful.
> ---> LIST
>
>My server's external interface is 80.204.208.30
>(ADSL), and my internal interface is
>192.168.187.1, which connects to my workstation 192.168.187.2.
>
>All works well, except ftpd. My pf.conf was
>inspired by http://www.openbsd.org/faq/pf/example1.html
>
> ##### /etc/pf.conf
>
> ext_if="rl0"
> int_if="ep0"
>
> set block-policy return
>
> set skip on { lo }
>
> scrub in
>
> nat on $ext_if from $int_if:network to any -> ($ext_if)
>
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
>
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> rdr on $ext_if proto tcp from any to any
> port 53333:55555 -> 192.168.187.2 port 53333:55555
>
> block in
>
> pass quick on $int_if
>
> pass out keep state
>
> anchor "ftp-proxy/*"
>
> antispoof quick for { lo $int_if }
>
> pass in on $ext_if inet proto tcp from any
> to ($ext_if) port { 21, 22, 25, 53, 80, 110, 113, 143 } keep state
> pass in on $ext_if inet proto udp from any to ($ext_if) port 53 keep state
>
> pass in inet proto icmp from any to any keep state
>
> pass in on $ext_if inet proto tcp from any
> to any port 53333:55555 keep state
>
>Any suggestions to improve or simplify my
>ruleset are warmly welcomed. Ffor instance, why
>does it need 3 instances of what seems like the
>same thing? nat-anchor "ftp-proxy/*", rdr-anchor
>"ftp-proxy/*" and then anchor "ftp-proxy/*"?
>
> ##### /etc/inetd.conf
>
> ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
> ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
>
>Thanks a lot for your time.
>
>--Kyrre
Problem solved, I just disabled ftp-proxy (guess
I didn't need it) and started forwarding just
53333 to 192.168.187.2 instead of the entire
range. 53333:55555 were my
net.inet.ip.portrange.hifirst and
net.inet.ip.portrange.hilast, so the way things
are now, ftpd has free access to 53334:55555, and it seems quite content.
Thanks,
Kyrre
More information about the freebsd-questions
mailing list