fetch and ftp problems trough pf

Sun Jul 29 22:59:07 UTC 2007

Hi

I'm have a bit of a fetch and ftp problem when it comes to the hosts
behind my freebsd 6.2 stable pf firewall. I can use fetch and ftp
perfectly fine from the firewall but once I want to use them on one of the
hosts behind it I get the following errors.

Trying 204.152.184.73...
Connected to ftp.freebsd.org.
220 Welcome to freebsd.isc.org.
Name (ftp.freebsd.org:hamba): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||5654|)
425 Security: Bad IP connecting.
ftp> exit
221 Goodbye.

# ftp ftp.de.freebsd.org
Connected to ftp.plusline.net.
220-
220-PUBLIC FTP MIRROR
220-
220-Plus.Line AG
220-http://www.plusline.net
220-Frankfurt a. M.
220-Germany
220-
220
Name (ftp.de.freebsd.org:hamba): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||35507|)
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
ftp: poll timeout waiting before accept: Operation timed out
426 Failure writing network stream.
225 No transfer to ABOR.
ftp> exit
221 Goodbye.

I have multiple IPs on my external if so I'm using pftpx as the ftp proxy
and I followed the man page and added this to my pf.conf
nat-anchor "pftpx/*"
rdr-anchor "pftpx/*"
rdr pass on $int_if proto tcp from 10.0.0.0/8 to any port 21 -> 127.0.0.1
port 8021
anchor "pftpx/*"

I also added in the rc.conf file
pftpx_enable="YES"
pftpx_flags="-p 80.81.242.5"

Here is the debug outout I got from pftpx
Jul 25 22:50:13 amanzi pftpx[92813]: #1 accepted connection from 10.0.100.150
Jul 25 22:50:13 amanzi pftpx[92813]: #1 server: 220 Welcome to
freebsd.isc.org.^M
Jul 25 22:50:15 amanzi pftpx[92813]: #1 client: USER anonymous^M
Jul 25 22:50:15 amanzi pftpx[92813]: #1 server: 331 Please specify the
password.^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 client: PASS ^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: 230 Login successful.^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 client: SYST^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: 215 UNIX Type: L8^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 client: FEAT^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: 211-Features:^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 server:  EPRT^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 server:  EPSV^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 server:  MDTM^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 server:  PASV^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 server:  REST STREAM^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 server:  SIZE^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 server:  TVFS^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: 211 End^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 client: PWD^M
Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: 257 "/"^M
Jul 25 22:50:17 amanzi pftpx[92813]: #1 client: EPSV^M
Jul 25 22:50:17 amanzi pftpx[92813]: #1 server: 229 Entering Extended
Passive Mode (|||30018|)^M
Jul 25 22:50:17 amanzi pftpx[92813]: #1 proxy: 229 Entering Extended
Passive Mode (|||59677|)^M
Jul 25 22:50:18 amanzi pftpx[92813]: #1 client: LIST^M
Jul 25 22:50:18 amanzi pftpx[92813]: #1 server: 425 Security: Bad IP
connecting.^M

I have also 2 internal IPs on each host behind the firewall. I have
attached my pf.conf file, everything works perfectly without problems
except for ftp, I also have to mention that its not all the ftp sites but
only some of them, and when I fetch from http it also works.

Thanks for the time
Reinhold
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pf.conf
Type: application/octet-stream
Size: 9759 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070729/899814ff/pf.obj