Problems with active FTP and ftp-proxy

J. Martin Petersen jmp at alvorlig.dk
Mon Nov 22 11:46:00 PST 2004 

Hi

We've recently set up a FreeBSD 5.3 with pf as NAT-gateway and firewall for our
local network with 800-1000 users. Most things, including prioritizing traffic,
works just fine, but I can't get active ftp from internal clients to work.

I've added the rules noted at http://www.openbsd.org/faq/pf/ftp.html, but it
doesn't really work. I can see from the debug log output from ftp-proxy, that it
proxies the ftp connection, and I can see from netstat, that it actually listens
on the port, it claims to listen on. I can also see with tcpdump, that the
ftp-server also responds to that port. But ftp-proxy still times out a bit later
with the error "cannot connect data channel (Operation timed out)".

Here are snippets of the relevant logs and configuration files:
--tcpdump pflog0--
rule 153/0(match): pass in on em0: IP 10.1.4.50.2767 > 127.0.0.1.8021: S
2138343662:2138343662(0) win 65535 <mss 1460,nop,nop,sackOK>
rule 155/0(match): pass in on fxp0: IP 195.41.131.10.21 > 195.24.1.195.53620: S
3860699189:3860699189(0) ack 3533547730 win 5792 <mss 1380,sackOK,timestamp[|tcp]>
rule 155/0(match): pass in on fxp0: IP 195.41.131.10.20 > 195.24.1.195.51169: S
3863458569:3863458569(0) win 5840 <mss 1380,sackOK,timestamp[|tcp]>

--the relevant rules--
@153 pass log on em0 inet from 10.1.4.50 to any modulate state
@155 pass in log on fxp0 inet proto tcp from any to 195.24.1.195 user = 62 keep
state

--netstat -an--
[netstat -an]
tcp4       0      0  195.24.1.195.57875     10.1.4.50.5001         SYN_SENT
tcp4     185      0  195.24.1.195.51169     195.41.131.10.20       CLOSE_WAIT
tcp4      54      0  195.24.1.195.53620     195.41.131.10.21       ESTABLISHED

--log output from ftp-proxy--
Nov 22 20:00:40 fw ftp-proxy[56849]: accepted connection from 10.1.4.50:2767 to
195.41.131.10:21
Nov 22 20:00:40 fw ftp-proxy[56849]: local socket is 195.24.1.195:53620
Nov 22 20:00:40 fw ftp-proxy[56849]:  server: 220 ProFTPD 1.2.9rc3 Server
(linux1.unoeuro.com) [linux1.unoeuro.com]^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: USER rxd.dk^M
Nov 22 20:00:40 fw ftp-proxy[56849]:  server: 331 Password required for rxd.dk.^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: PASS XXXX
Nov 22 20:00:40 fw ftp-proxy[56849]:  server: 230 User rxd.dk logged in.^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: SYST^M
Nov 22 20:00:40 fw ftp-proxy[56849]:  server: 215 UNIX Type: L8^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: FEAT^M
Nov 22 20:00:40 fw ftp-proxy[56849]:  server: 211-Features:^M
Nov 22 20:00:40 fw ftp-proxy[56849]:  server:  MDTM^M
Nov 22 20:00:40 fw ftp-proxy[56849]:  server:  REST STREAM^M
Nov 22 20:00:40 fw ftp-proxy[56849]:  server:  SIZE^M
Nov 22 20:00:40 fw ftp-proxy[56849]:  server: 211 End^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: PWD^M
Nov 22 20:00:40 fw ftp-proxy[56849]:  server: 257 "/" is current directory.^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: TYPE A^M
Nov 22 20:00:40 fw ftp-proxy[56849]:  server: 200 Type set to A^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: PORT 10,1,4,50,19,137^M
Nov 22 20:00:40 fw ftp-proxy[56849]: Got a PORT command
Nov 22 20:00:40 fw ftp-proxy[56849]: client wants us to use 10.1.4.50:5001
Nov 22 20:00:40 fw ftp-proxy[56849]: we want server to use 195.24.1.195:51169
Nov 22 20:00:40 fw ftp-proxy[56849]: to server (modified): PORT
195,24,1,195,199,225^M
Nov 22 20:00:40 fw ftp-proxy[56849]:  server: 200 PORT command successful^M
Nov 22 20:00:40 fw ftp-proxy[56849]: client: LIST^M
Nov 22 20:00:40 fw ftp-proxy[56849]: server listen socket ready
Nov 22 20:01:55 fw ftp-proxy[56849]: cannot connect data channel (Operation
timed out)

--inetd.conf--
[inetd.conf]
ftp-proxy       stream  tcp     nowait  root    /usr/libexec/ftp-proxy 
ftp-proxy -V -D 2 -n -a 195.24.1.195

--excerpts from pf.conf--
ext_if0="fxp0"
ext_gw0="195.24.1.193"
int_if="em0"
loo_if="lo0"
scrub all
nat on $ext_if0 from $int_if:network to any -> ($ext_if0)
nat on $ext_if1 from $int_if:network to any -> ($ext_if1)
rdr on $ext_if0 proto $www_proto from any to any port $www_ports -> $www
rdr on $ext_if0 proto $dns_proto from any to any port $dns_ports -> $dns
rdr on $int_if  proto tcp from "10.1.4.50" to any port ftp -> $loo_if port ftp-proxy
antispoof for $int_if inet
antispoof for $ext_if0 inet
pass on $int_if all
pass quick on $loo_if all
pass log on $int_if from "10.1.4.50" modulate state
pass out on $ext_if0 user proxy
pass in log on $ext_if0 inet proto tcp from any to $ext_if0 user proxy keep state

Passive ftp works just fine. Both with and without the "-n" flag for ftp-proxy.
"10.1.4.50" is the test machine I'm testing from, and it doesn't work either if
I substitute it for "any".

Do you any suggestions?

/Martin

More information about the freebsd-pf mailing list