bin/71490: ftp-proxy or rdr@pf not working

Divacky Roman xdivac02 at
Wed Sep 8 03:40:24 PDT 2004

>Number:         71490
>Category:       bin
>Synopsis:       ftp-proxy or rdr at pf not working
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 08 10:40:24 GMT 2004
>Originator:     Divacky Roman
>Release:        FreeBSD 5.3-BETA3 i386
FreeBSD queeg500 5.3-BETA3 FreeBSD 5.3-BETA3 #5: Tue Sep  7 13:01:38 CEST 2004
   rdivacky at queeg500:/usr/obj/usr/src/sys/QUEEG  i386

I've got following problem
with this pf.conf

#normalize packets
scrub in all

altq on $ext_if bandwidth 256Kb cbq queue {ssh_i web other} 
queue ssh_i bandwidth 25% cbq(borrow ecn)
queue web bandwidth 25% cbq(borrow ecn)
queue other bandwidth 50% cbq(borrow default ecn)

nat on $ext_if from $int_if:network to any -> ($ext_if)
#ftp redirection
rdr on $int_if proto tcp from any to any port 21 -> port 8021

#default to block all
#block in on $ext_if all
#pass all out while keeping state. and queue it
pass out on $ext_if from any to any keep state queue other
pass on $ext_if proto tcp from any to any port ssh keep state queue(ssh_i, other)
pass out on $ext_if proto tcp from any to any port http keep state queue web
#ftp proxy
pass in on $ext_if inet proto tcp from any to any user proxy keep state queue other
#allow icmp
pass in on $ext_if inet proto icmp from any to any

(notice that its in fact pass all configuration)
and properly configured inetd to run ftp-proxy I tried to debug inetd
it waited in this
574                 if ((n = select(maxsock + 1, &readable, (fd_set *)0,

then I on the machine behind nat issued ftp command... the select stayed the
same (ie. no packets arrived) and in pfctl -sa I found this:
self tcp <- <- CLOSED:SYN_SENT
so the connection was established but then died for an unknown reason

so I suppose there's something rotten in pf/ftp-proxy... (since the
configuration is correct)

the fbsd in question is 6-current as of:
witten inetd# uname -a
FreeBSD witten 6.0-CURRENT FreeBSD 6.0-CURRENT #123: Mon Sep  6 15:42:35 CEST
2004     root at witten:/usr/obj/usr/src/sys/NEOLOGISM  i386

but I also got it on releng_5

simply said ftp-proxy (used to provide ftp access to outer ftp for machines
behind nat) doesnt work (at least for me)

thnx for looking at it

try to set up ftp-proxy using my pf.conf and use the ftp from machines behind
the nat...


I am not aware of any fix


More information about the freebsd-bugs mailing list