FTP problem

Gergely CZUCZY phoemix at harmless.hu
Fri Dec 8 10:14:28 PST 2006 

On Fri, Dec 08, 2006 at 04:53:02PM +0300, Roman Gorohov.               wrote:
> Hello, Gergely.
> 
> > try to use pftpx instead of ftp-proxy, it's available from ports.
> 
> 
> > Bye,
> 
> > Gergely Czuczy
> 
> I tried switch to pftpx and got same result.
> Last messages:
> Dec  7 17:02:05 fw-spb pftpx[7306]: client limit (100) reached, refusing connection from 10.10.1.70
> Dec  7 17:02:47 fw-spb pftpx[7306]: client limit (100) reached, refusing connection from 10.10.1.70
> Dec  7 17:02:55 fw-spb pftpx[7306]: #296 proxy cannot connect to server 10.10.1.70: Operation not permitted
> Dec  7 17:03:03 fw-spb pftpx[7306]: client limit (100) reached, refusing connection from 10.10.1.70
> Dec  7 17:03:15 fw-spb last message repeated 2 times
> Then it hang.
> 
> Address 10.10.1.70 is server itself, so I don't understand whats going on...
> I started to think that there is some loop in pf rules, this would
> nicely explain why there isn't any messages at console. But I can't
> see any.
> This is all referencing to ftp in my pf.conf:
> rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> pass out on $ext_if inet proto tcp from $ext_if to any port 21 flags S/AUPRFS modulate state
> pass in on $ext_if proto tcp from any to any port 21 keep state
if you paste a ruleset please also resolv all of the macros
and include the interface definitions also.
we don't even know what addresses your $int_if is having
where do you recieve your ftp connections from, and with what
configuration are you using for pftpx
> 
> Any suggestions?
man pftpx, check the parameters.
think of these while doing that:
> Dec  7 17:02:05 fw-spb pftpx[7306]: client limit (100) reached, refusing connection from 10.10.1.70
> Dec  7 17:02:47 fw-spb pftpx[7306]: client limit (100) reached, refusing connection from 10.10.1.70
> Dec  7 17:03:03 fw-spb pftpx[7306]: client limit (100) reached, refusing connection from 10.10.1.70

and for this, check your pf ruleset. if the sendning of
the packet is disabled by a local pf rule, you might get that
error message
> Dec  7 17:02:55 fw-spb pftpx[7306]: #296 proxy cannot connect to server 10.10.1.70: Operation not permitted


as a general good hint i'd suggest reading
google://how+to+ask for you.
it's not a joke, it's a serious suggestion.

> Regards, Roman.
> 
> 

Bye,

Gergely Czuczy
mailto: gergely.czuczy at harmless.hu

-- 
Weenies test. Geniuses solve problems that arise.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 1792 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20061208/5db96e2e/attachment.pgp

More information about the freebsd-pf mailing list