Ftp + pf + Two ISP ---> no luck

Tom Judge tom at tomjudge.com
Thu Oct 21 21:33:11 UTC 2010



On 10/21/2010 09:17 AM, Subscriber wrote:
> Hi All.
>
> First of all sorry for my bad English.
>
> I have some problem with two ISP and ftp service on FreeBSD box. A
> few days I try to resolve the problem, but no luck. Googling does not
> help me to. My brain soon blowup. So…. pls help me.
>
> I want, that my ftp service was accessible from ISP1 and ISP2. I can
> log in my ftp from outside, but when I try to download files, or
> opening the folders with big number of files, my server is "freeze",
> and download newer happened. Some times ftp-server "unfreez" for very
> short time, at this moment:
>

You need something like:

pass in on $ext_if1 inet proto tcp from any to $isp1_ip port 21 reply-to
( $ext_if1 $isp1_gw )
pass in on $ext_if2 inet proto tcp from any to $isp2_ip port 21 reply-to
( $ext_if2 $isp2_gw )

And the same for the passive port range you configure in the ftp daemon.

TJ

> load averages:  9.24,  2.69,  1.18
> 36 processes:  7 running, 29 sleeping
> CPU:  0.0% user,  0.0% nice,  0.0% system, 99.9% interrupt,  0.1% idle
> Mem: 24M Active, 350M Inact, 75M Wired, 14M Cache, 60M Buf, 30M Free
> Swap: 512M Total, 32K Used, 512M Free
>
> In the ftp-server logs (vsftpd) I see next:
>
> ======= start cut of log ====================
> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client
> "ip_was_replaced", "PASV"
> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client
> "ip_was_replaced", "227 Entering Passive Mode
> (xxx,xxx,xxx,136,195,80)."
> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client
> "ip_was_replaced", "RETR
> Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe"
> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client
> "ip_was_replaced", "150 Opening BINARY mode data connection for
> Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe (1235728
> bytes)."
> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client
> "ip_was_replaced", "426 Failure writing network stream."
> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FAIL DOWNLOAD: Client
> "ip_was_replaced",
> "/pub/drivers/intel/Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe",
> 33580 bytes, 0.86Kbyte/sec
> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP command: Client
> "ip_was_replaced", "????ABOR"
> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client
> "ip_was_replaced", "225 No transfer to ABOR."
>
> and so on...
> ======= end cut of log ====================
>
> About my system:
> # uname -rsm
> FreeBSD 8.1-RELEASE i386
>
> Ftp servers in passive mode:
> vsftpd-2.3.2 (Listen on port 21)
> proftpd-1.3.3a (Listen on port 2121)
>
> pf - as firewall, kernel compiled with:
> device          pf
> device          pflog
> options         ALTQ
> options         ALTQ_CBQ
> options         ALTQ_RED
> options         ALTQ_RIO
> options         ALTQ_HFSC
> options         ALTQ_CDNR
> options         ALTQ_PRIQ
> options         ALTQ_NOPCC
>
> my pf.conf:
> =======start of pf.conf ====================
> # macros
> # internal interface
> int_if = "fxp0"
>
> ext_if = "{ fxp1, fxp2 }"
>
> # interface to isp1 and isp2
> ext_if1 = "fxp1"
> ext_if2 = "fxp2"
>
> #gateway for isp1 and isp2
> ext_gw1 = "xxx.xxx.xxx.129"
> ext_gw2 = "xxx.xxx.xxx.3"
>
> # ftp ports
> ftp_serv = "{ 21, 2121, 50000:50100 }"
>
> icmp_types = "{ echoreq }"
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8 }"
> ftp_allowed_ip = "{ xxx.xxx.xxx.xxx }"
>
> # options
> set block-policy drop
> #set loginterface $ext_if
>
> # scrub
> scrub in all
> # nat
> nat on $ext_if1 inet from $int_if:network to any -> ($ext_if1)
> nat on $ext_if2 inet from $int_if:network to any -> ($ext_if2)
>
> # filter rules
> block all
> block in quick on $ext_if inet proto udp from any port 137:139 \
>         to any port 137:139
> block log on $ext_if all
>
> pass quick on lo0 all
>
> block in quick on $ext_if from $priv_nets to any
> block out quick on $ext_if from any to $priv_nets
>
> pass out on $ext_if1 inet from $ext_if1 to any
> pass out on $ext_if2 inet from $ext_if2 to any
> pass out route-to ($ext_if2 $ext_gw2) inet from ($ext_if2) keep state
> pass out route-to ($ext_if1 $ext_gw1) inet from ($ext_if1) keep state
>
> # icmp rules
> pass in quick on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
>     proto icmp from any to $ext_if1 icmp-type $icmp_types keep state
> pass in quick on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \
>     proto icmp from any to $ext_if2 icmp-type $icmp_types keep state
> pass out quick inet proto icmp all keep state
>
> # for local network out
> pass in on $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state
>
> #ftp service
> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
>     proto tcp from $ftp_allowed_ip to ($ext_if1) \
>     port $ftp_serv flags S/SA keep state
>
> pass in on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \
>     proto tcp from $ftp_allowed_ip to ($ext_if2) \
>     port $ftp_serv flags S/SA keep state
>
> pass out quick on $ext_if proto tcp all modulate state flags S/SA
> pass out quick on $ext_if proto { udp, icmp } all keep state
>
> =======-end of pf.conf ====================
>
> If I replace rule
> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
>     proto tcp from $ftp_allowed_ip to ($ext_if1) \
>     port $ftp_serv flags S/SA keep state
>
> to
> pass in on $ext_if1 inet \
>     proto tcp from $ftp_allowed_ip to ($ext_if1) \
>     port $ftp_serv flags S/SA keep state
>
> then ftp-server accessible from ISP1, but from ISP2 - no.
>
>


-- 
TJU13-ARIN



More information about the freebsd-pf mailing list