Ftp + pf + Two ISP ---> no luck
Tom Judge
tom at tomjudge.com
Mon Oct 25 16:35:37 UTC 2010
On 10/22/2010 02:34 AM, Subscriber wrote:
> Hello Tom,
Take a look at ftpsesame in ports, this will help you and simplify your
firewall configuration.
TJ
> Friday, October 22, 2010, 12:13:41 AM, you wrote:
>
>> On 10/21/2010 09:17 AM, Subscriber wrote:
>>> Hi All.
>>>
>>> First of all sorry for my bad English.
>>>
>>> I have some problem with two ISP and ftp service on FreeBSD box. A
>>> few days I try to resolve the problem, but no luck. Googling does not
>>> help me to. My brain soon blowup. So…. pls help me.
>>>
>>> I want, that my ftp service was accessible from ISP1 and ISP2. I can
>>> log in my ftp from outside, but when I try to download files, or
>>> opening the folders with big number of files, my server is "freeze",
>>> and download newer happened. Some times ftp-server "unfreez" for very
>>> short time, at this moment:
>>>
>> You need something like:
>> pass in on $ext_if1 inet proto tcp from any to $isp1_ip port 21 reply-to
>> ( $ext_if1 $isp1_gw )
>> pass in on $ext_if2 inet proto tcp from any to $isp2_ip port 21 reply-to
>> ( $ext_if2 $isp2_gw )
>> And the same for the passive port range you configure in the ftp daemon.
> I change the rule as you say:
>
> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
> proto tcp from $ftp_allowed_ip to ($ext_if1) \
> port $ftp_serv flags S/SA keep state
>
> Now I have:
>
> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
> proto tcp from $ftp_allowed_ip to $ext_ip1 \
> port $ftp_serv
>
> But it is not help. Situation are not change. I can't upload or
> download files :(
>
>> TJ
>>> load averages: 9.24, 2.69, 1.18
>>> 36 processes: 7 running, 29 sleeping
>>> CPU: 0.0% user, 0.0% nice, 0.0% system, 99.9% interrupt, 0.1% idle
>>> Mem: 24M Active, 350M Inact, 75M Wired, 14M Cache, 60M Buf, 30M Free
>>> Swap: 512M Total, 32K Used, 512M Free
>>>
>>> In the ftp-server logs (vsftpd) I see next:
>>>
>>> ======= start cut of log ====================
>>> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client
>>> "ip_was_replaced", "PASV"
>>> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client
>>> "ip_was_replaced", "227 Entering Passive Mode
>>> (xxx,xxx,xxx,136,195,80)."
>>> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client
>>> "ip_was_replaced", "RETR
>>> Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe"
>>> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client
>>> "ip_was_replaced", "150 Opening BINARY mode data connection for
>>> Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe (1235728
>>> bytes)."
>>> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client
>>> "ip_was_replaced", "426 Failure writing network stream."
>>> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FAIL DOWNLOAD: Client
>>> "ip_was_replaced",
>>> "/pub/drivers/intel/Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe",
>>> 33580 bytes, 0.86Kbyte/sec
>>> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP command: Client
>>> "ip_was_replaced", "????ABOR"
>>> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client
>>> "ip_was_replaced", "225 No transfer to ABOR."
>>>
>>> and so on...
>>> ======= end cut of log ====================
>>>
>>> About my system:
>>> # uname -rsm
>>> FreeBSD 8.1-RELEASE i386
>>>
>>> Ftp servers in passive mode:
>>> vsftpd-2.3.2 (Listen on port 21)
>>> proftpd-1.3.3a (Listen on port 2121)
>>>
>>> pf - as firewall, kernel compiled with:
>>> device pf
>>> device pflog
>>> options ALTQ
>>> options ALTQ_CBQ
>>> options ALTQ_RED
>>> options ALTQ_RIO
>>> options ALTQ_HFSC
>>> options ALTQ_CDNR
>>> options ALTQ_PRIQ
>>> options ALTQ_NOPCC
>>>
>>> my pf.conf:
>>> =======start of pf.conf ====================
>>> # macros
>>> # internal interface
>>> int_if = "fxp0"
>>>
>>> ext_if = "{ fxp1, fxp2 }"
>>>
>>> # interface to isp1 and isp2
>>> ext_if1 = "fxp1"
>>> ext_if2 = "fxp2"
>>>
>>> #gateway for isp1 and isp2
>>> ext_gw1 = "xxx.xxx.xxx.129"
>>> ext_gw2 = "xxx.xxx.xxx.3"
>>>
>>> # ftp ports
>>> ftp_serv = "{ 21, 2121, 50000:50100 }"
>>>
>>> icmp_types = "{ echoreq }"
>>> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
>>> 10.0.0.0/8 }"
>>> ftp_allowed_ip = "{ xxx.xxx.xxx.xxx }"
>>>
>>> # options
>>> set block-policy drop
>>> #set loginterface $ext_if
>>>
>>> # scrub
>>> scrub in all
>>> # nat
>>> nat on $ext_if1 inet from $int_if:network to any -> ($ext_if1)
>>> nat on $ext_if2 inet from $int_if:network to any -> ($ext_if2)
>>>
>>> # filter rules
>>> block all
>>> block in quick on $ext_if inet proto udp from any port 137:139 \
>>> to any port 137:139
>>> block log on $ext_if all
>>>
>>> pass quick on lo0 all
>>>
>>> block in quick on $ext_if from $priv_nets to any
>>> block out quick on $ext_if from any to $priv_nets
>>>
>>> pass out on $ext_if1 inet from $ext_if1 to any
>>> pass out on $ext_if2 inet from $ext_if2 to any
>>> pass out route-to ($ext_if2 $ext_gw2) inet from ($ext_if2) keep state
>>> pass out route-to ($ext_if1 $ext_gw1) inet from ($ext_if1) keep state
>>>
>>> # icmp rules
>>> pass in quick on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
>>> proto icmp from any to $ext_if1 icmp-type $icmp_types keep state
>>> pass in quick on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \
>>> proto icmp from any to $ext_if2 icmp-type $icmp_types keep state
>>> pass out quick inet proto icmp all keep state
>>>
>>> # for local network out
>>> pass in on $int_if from $int_if:network to any keep state
>>> pass out on $int_if from any to $int_if:network keep state
>>>
>>> #ftp service
>>> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
>>> proto tcp from $ftp_allowed_ip to ($ext_if1) \
>>> port $ftp_serv flags S/SA keep state
>>>
>>> pass in on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \
>>> proto tcp from $ftp_allowed_ip to ($ext_if2) \
>>> port $ftp_serv flags S/SA keep state
>>>
>>> pass out quick on $ext_if proto tcp all modulate state flags S/SA
>>> pass out quick on $ext_if proto { udp, icmp } all keep state
>>>
>>> =======-end of pf.conf ====================
>>>
>>> If I replace rule
>>> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
>>> proto tcp from $ftp_allowed_ip to ($ext_if1) \
>>> port $ftp_serv flags S/SA keep state
>>>
>>> to
>>> pass in on $ext_if1 inet \
>>> proto tcp from $ftp_allowed_ip to ($ext_if1) \
>>> port $ftp_serv flags S/SA keep state
>>>
>>> then ftp-server accessible from ISP1, but from ISP2 - no.
>>>
>>>
>
>
>
>
--
TJU13-ARIN
More information about the freebsd-pf
mailing list