From owner-freebsd-pf@FreeBSD.ORG Fri Dec 8 18:14:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9816016A5F6 for ; Fri, 8 Dec 2006 18:14:28 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FA6B43CC3 for ; Fri, 8 Dec 2006 18:13:20 +0000 (GMT) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id B0F0E7C0088; Fri, 8 Dec 2006 19:14:18 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id 6AP9iTNKFA7f; Fri, 8 Dec 2006 19:14:12 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 4CD777C0087; Fri, 8 Dec 2006 19:14:11 +0100 (CET) Date: Fri, 8 Dec 2006 19:14:11 +0100 From: Gergely CZUCZY To: "Roman Gorohov. " Message-ID: <20061208181411.GA23064@harmless.hu> References: <546388630.20061207163149@gmail.com> <20061207133535.GA16219@harmless.hu> <1904646577.20061208165302@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline In-Reply-To: <1904646577.20061208165302@gmail.com> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: FTP problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2006 18:14:28 -0000 --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 08, 2006 at 04:53:02PM +0300, Roman Gorohov. wrot= e: > Hello, Gergely. >=20 > > try to use pftpx instead of ftp-proxy, it's available from ports. >=20 >=20 > > Bye, >=20 > > Gergely Czuczy >=20 > I tried switch to pftpx and got same result. > Last messages: > Dec 7 17:02:05 fw-spb pftpx[7306]: client limit (100) reached, refusing = connection from 10.10.1.70 > Dec 7 17:02:47 fw-spb pftpx[7306]: client limit (100) reached, refusing = connection from 10.10.1.70 > Dec 7 17:02:55 fw-spb pftpx[7306]: #296 proxy cannot connect to server 1= 0.10.1.70: Operation not permitted > Dec 7 17:03:03 fw-spb pftpx[7306]: client limit (100) reached, refusing = connection from 10.10.1.70 > Dec 7 17:03:15 fw-spb last message repeated 2 times > Then it hang. >=20 > Address 10.10.1.70 is server itself, so I don't understand whats going on= =2E.. > I started to think that there is some loop in pf rules, this would > nicely explain why there isn't any messages at console. But I can't > see any. > This is all referencing to ftp in my pf.conf: > rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8= 021 > pass out on $ext_if inet proto tcp from $ext_if to any port 21 flags S/AU= PRFS modulate state > pass in on $ext_if proto tcp from any to any port 21 keep state if you paste a ruleset please also resolv all of the macros and include the interface definitions also. we don't even know what addresses your $int_if is having where do you recieve your ftp connections from, and with what configuration are you using for pftpx >=20 > Any suggestions? man pftpx, check the parameters. think of these while doing that: > Dec 7 17:02:05 fw-spb pftpx[7306]: client limit (100) reached, refusing = connection from 10.10.1.70 > Dec 7 17:02:47 fw-spb pftpx[7306]: client limit (100) reached, refusing = connection from 10.10.1.70 > Dec 7 17:03:03 fw-spb pftpx[7306]: client limit (100) reached, refusing = connection from 10.10.1.70 and for this, check your pf ruleset. if the sendning of the packet is disabled by a local pf rule, you might get that error message > Dec 7 17:02:55 fw-spb pftpx[7306]: #296 proxy cannot connect to server 1= 0.10.1.70: Operation not permitted as a general good hint i'd suggest reading google://how+to+ask for you. it's not a joke, it's a serious suggestion. > Regards, Roman. >=20 >=20 Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owHdVs1uHEUQdhK4tMQh3LigkkAY8M54dv2zzqK1yY8dIoESHCNAUYTaMzUzzfZ0 D909Xm/EA3CIUARIQUIoDxAhIQRHhMQD8Bac4MIbUN2zs3EsJE74gL1ae7p7vqr6 6qvqevDchaXzF3/7/sc7K/e/+Obcd+zdw5WqcU4VUcXNkVBRP0n60WAt2VyP1qNB snUpP9zorw0H60me5ruzx/aqVg6Viw5mNY7A4bFbrSUX6g1IS24sunHj8miLdeeu CVtrK5zQagRCSaFwsXdguLI5mmhXpToTqhjBJ412mEW1EcrxQ4mM3VSwZ0QPrmEK yVYPBkmyCdxBsj7aWBslg1vvwEqyliQ92NcVV3BdG13qoxie/pka7cYMR2wb3kIp dQ+uoylQzmK2PR4ktLwNzszAaWgsQp27+pj8tQ55BjoHeiav9PGsB8ItW+BHXEjv IeRGV1Br42wH1eFdmWHvydPcHly916T3Zt36DbIqMAM7FS4tvfnWNFcZFNqB5RWC QdtIR/DwNrcOKrSWF2h9MJ4WGEJ/SFSMkg3Ip5GtD1uQO0NK5N0RpFIQ3SBFJRy8 Sil+jRB5WmLWo3/yxhL1MGapVgpTn6k2pn4S+088TE7bWR+ejZ2Nf47npcGlTQjJ gJQrRSzNIT19Fs0RGuiP2QJ2BDdrNDxY9KfpgTwknT1tj9S0dhZxrY36i7jkiXwS Vo2c3IIBOEGL9NpBiYoEByVXxUKpl7OMFGFPGABhu8CFsyjzHlhN2sq0WnbQqAyN dV5S05I7S8LyHms1ZuPBbhwHGdK+8baJQlcKNaFvqjJXosGArkmHUuuaioLYAdNI tD1/1MJUN9JzqUTqBY7HoSOQrdnife8GV7OFdH0FE19WS4zhSuPIAUrlsiMUi+iP xiF6QqcPl9ITTVAq9Z6Tj5Qf70k1I2diQsp9MZjMQM2JGUrBy9RBPhK514kPKa3b pHgn6Nn/8TULgz5E29AfDOOEfvvt4haJZ9AnwBaM3POA1Os8IHUwdxq12zuFnEte WLi9evm9Mbu1v3cbKp01klLs2XbYGaA4TuD/u8MTxHqOQOdnuvEwBMrbrHj3JHLq YlySCkgqWh4FDqmPUUKg4qnRlnk9CJXKJsOwTIShyXmKkGEuVOjZNmDEbIpzLeER CXKi9DRICXgrRUoouWEWpFPOSk73ScGmQQCZDm4aTAUBtGd9Bp+UjA3R9kLfo1ZY BnhfUrkomnntchNehbbgcm3aMl2UBVFkm4LUFQB3mL8OwokeXU6YTkKUNTfUUilS atet0FtWiK5pKaT3NUiMzP/P++t/2O+CtnyCfH/o2A9Z71oHuhhEK0eLKlOhIeWs zVA6IQ2ThjJh/RWbweGMxC11ymUH0AtKqERROijQhXwxNIZsznvMmV8mFDWVC3mj aF9Sk9UZkMAokuWsE6Yn0k86jHYLiaPV1VJPV5xe4XYSCKOoYhYmDA/O4WM9wW7k 8O4I3dgTKo8ZhbmPBTeZnU9AJ6cQFkYQdmr0qGh0cXpEnrYTUBqW36T5raLM2Lhs GIsi//77iEpQcTuyFtMEo0Tja903FPSkUXIq294U3AiLMfts58KzS35Q7KbMi+d/ fWbp0aH5/MEfvz/86361cePrT7/86YdXXv926dFe/CJ/CF+de/6xEdkHP/+y8+EL f/4N =V6AV -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ--