Problems with active FTP and ftp-proxy
J. Martin Petersen
jmp at alvorlig.dk
Mon Nov 22 11:46:00 PST 2004
Hi
We've recently set up a FreeBSD 5.3 with pf as NAT-gateway and firewall for our
local network with 800-1000 users. Most things, including prioritizing traffic,
works just fine, but I can't get active ftp from internal clients to work.
I've added the rules noted at http://www.openbsd.org/faq/pf/ftp.html, but it
doesn't really work. I can see from the debug log output from ftp-proxy, that it
proxies the ftp connection, and I can see from netstat, that it actually listens
on the port, it claims to listen on. I can also see with tcpdump, that the
ftp-server also responds to that port. But ftp-proxy still times out a bit later
with the error "cannot connect data channel (Operation timed out)".
Here are snippets of the relevant logs and configuration files:
--tcpdump pflog0--
rule 153/0(match): pass in on em0: IP 10.1.4.50.2767 > 127.0.0.1.8021: S
2138343662:2138343662(0) win 65535 <mss 1460,nop,nop,sackOK>
rule 155/0(match): pass in on fxp0: IP 195.41.131.10.21 > 195.24.1.195.53620: S
3860699189:3860699189(0) ack 3533547730 win 5792 <mss 1380,sackOK,timestamp[|tcp]>
rule 155/0(match): pass in on fxp0: IP 195.41.131.10.20 > 195.24.1.195.51169: S
3863458569:3863458569(0) win 5840 <mss 1380,sackOK,timestamp[|tcp]>
--the relevant rules--
@153 pass log on em0 inet from 10.1.4.50 to any modulate state
@155 pass in log on fxp0 inet proto tcp from any to 195.24.1.195 user = 62 keep
state
--netstat -an--
[netstat -an]
tcp4 0 0 195.24.1.195.57875 10.1.4.50.5001 SYN_SENT
tcp4 185 0 195.24.1.195.51169 195.41.131.10.20 CLOSE_WAIT
tcp4 54 0 195.24.1.195.53620 195.41.131.10.21 ESTABLISHED
--log output from ftp-proxy--
Nov 22 20:00:40 fw ftp-proxy[56849]: accepted connection from 10.1.4.50:2767 to
195.41.131.10:21
Nov 22 20:00:40 fw ftp-proxy[56849]: local socket is 195.24.1.195:53620
Nov 22 20:00:40 fw ftp-proxy[56849]: server: 220 ProFTPD 1.2.9rc3 Server
(linux1.unoeuro.com) [linux1.unoeuro.com]^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: USER rxd.dk^M
Nov 22 20:00:40 fw ftp-proxy[56849]: server: 331 Password required for rxd.dk.^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: PASS XXXX
Nov 22 20:00:40 fw ftp-proxy[56849]: server: 230 User rxd.dk logged in.^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: SYST^M
Nov 22 20:00:40 fw ftp-proxy[56849]: server: 215 UNIX Type: L8^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: FEAT^M
Nov 22 20:00:40 fw ftp-proxy[56849]: server: 211-Features:^M
Nov 22 20:00:40 fw ftp-proxy[56849]: server: MDTM^M
Nov 22 20:00:40 fw ftp-proxy[56849]: server: REST STREAM^M
Nov 22 20:00:40 fw ftp-proxy[56849]: server: SIZE^M
Nov 22 20:00:40 fw ftp-proxy[56849]: server: 211 End^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: PWD^M
Nov 22 20:00:40 fw ftp-proxy[56849]: server: 257 "/" is current directory.^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: TYPE A^M
Nov 22 20:00:40 fw ftp-proxy[56849]: server: 200 Type set to A^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: PORT 10,1,4,50,19,137^M
Nov 22 20:00:40 fw ftp-proxy[56849]: Got a PORT command
Nov 22 20:00:40 fw ftp-proxy[56849]: client wants us to use 10.1.4.50:5001
Nov 22 20:00:40 fw ftp-proxy[56849]: we want server to use 195.24.1.195:51169
Nov 22 20:00:40 fw ftp-proxy[56849]: to server (modified): PORT
195,24,1,195,199,225^M
Nov 22 20:00:40 fw ftp-proxy[56849]: server: 200 PORT command successful^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: LIST^M
Nov 22 20:00:40 fw ftp-proxy[56849]: server listen socket ready
Nov 22 20:01:55 fw ftp-proxy[56849]: cannot connect data channel (Operation
timed out)
--inetd.conf--
[inetd.conf]
ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy
ftp-proxy -V -D 2 -n -a 195.24.1.195
--excerpts from pf.conf--
ext_if0="fxp0"
ext_gw0="195.24.1.193"
int_if="em0"
loo_if="lo0"
scrub all
nat on $ext_if0 from $int_if:network to any -> ($ext_if0)
nat on $ext_if1 from $int_if:network to any -> ($ext_if1)
rdr on $ext_if0 proto $www_proto from any to any port $www_ports -> $www
rdr on $ext_if0 proto $dns_proto from any to any port $dns_ports -> $dns
rdr on $int_if proto tcp from "10.1.4.50" to any port ftp -> $loo_if port ftp-proxy
antispoof for $int_if inet
antispoof for $ext_if0 inet
pass on $int_if all
pass quick on $loo_if all
pass log on $int_if from "10.1.4.50" modulate state
pass out on $ext_if0 user proxy
pass in log on $ext_if0 inet proto tcp from any to $ext_if0 user proxy keep state
Passive ftp works just fine. Both with and without the "-n" flag for ftp-proxy.
"10.1.4.50" is the test machine I'm testing from, and it doesn't work either if
I substitute it for "any".
Do you any suggestions?
/Martin
More information about the freebsd-pf
mailing list