Jail, pf and ftpd: Connection refused
Max Laier
max at love2party.net
Fri Oct 3 10:08:46 UTC 2008
On Friday 03 October 2008 11:11:57 Redd Vinylene wrote:
> Greetings ladies and gentlemen!
>
> Why does the below pf.conf (run from box1) give me
> "getpeername(control_sock): Transport endpoint is not connected,
> Socket error (Connection refused) - reconnecting" when trying to log
> onto box3 via passive FTP? Active FTP gives me "425 Can't build data
> connection: Connection refused." (box2 and box3 are jails running off
> box1)
See ftp-proxy(8).
Note that active works with the ruleset you provided (due to the "pass out
keep state"-rule), but there is obviously a firewall problem on the client
preventing that.
> -
>
> root at box1# cat /etc/pf.conf
>
> box1 = "80.203.2.2"
>
> box2 = "80.203.2.3"
>
> box3 = "{ 80.203.2.4 [...] 80.203.2.127 }"
>
> ext_if = "rl0"
>
> set block-policy return
>
> set skip on { lo0 }
>
> scrub in
>
> pass out keep state
>
> block in
>
> pass in on $ext_if inet proto tcp from any to any port { 22 } keep state
>
> pass in on $ext_if inet proto tcp from any to $box2 port { 25, 53, 80,
> 110 } keep state
>
> pass in on $ext_if inet proto udp from any to $box2 port 53 keep state
>
> pass in on $ext_if inet proto tcp from any to $box3 port { 20, 21, 113
> } keep state
>
> pass in on $ext_if inet proto icmp from any to any keep state
>
> -
>
> root at box3# cat /etc/inetd.conf
>
> ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
>
> -
>
> I hope I've been verbose enough. Thank you!
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-pf
mailing list