From owner-freebsd-pf@FreeBSD.ORG Mon Oct 23 23:13:50 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A21816A47C for ; Mon, 23 Oct 2006 23:13:50 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from nxm.secservers.com (nxm.secservers.com [193.85.228.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09D7F43D49 for ; Mon, 23 Oct 2006 23:13:49 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from [127.0.0.1] (nxm.secservers.com. [193.85.228.22]) by nxm.secservers.com (8.13.4/8.13.4) with ESMTP id k9NNDmtX071914 for ; Tue, 24 Oct 2006 01:13:48 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: freebsd-pf Content-Type: text/plain Date: Tue, 24 Oct 2006 01:13:44 +0200 Message-Id: <1161645224.1054.80.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.8.1.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: BAD state with pftpx X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 23:13:50 -0000 I wanted to run an FTP server on a machine protected by PF on FreeBSD 6.1 p10. I use pftpx for normal client proxying (as the PF's ftp-proxy in FreeBSD is outdated and does not work for my FTP clients (Windows XP with firewall enabled does not allow the connections to originate from different IP address than the client connected to). The pftpx proxy seems to support also standing in front of FTP server. I use the following for configuring pf for the task (pftpx 0.8_1 from ports): -- nat on $ext_if from $internal_net to any -> ($ext_if) nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr on $ext_if proto tcp from any to any port ftp -> 127.0.0.1 port 8022 anchor "pftpx/*" -- I run pftpx with "pftpx -c 8022 -f 127.0.0.1 -d -D 7" and stock ftpd with "ftpd -D -a 127.0.0.1". The connection from outside is established and I can do passive transfers. Active ones (either PORT or EPRT) don't work and with "set debug loud" in /etc/pf.conf I see these messages on the console: --- pf: BAD state: TCP 127.0.0.1:20 server.ip:59188 client.ip:52124 [lo=427260297 high=427325833 win=65535 modulator=0 wscale=1] [lo=3208002793 high=3208068329 win=32768 modulator=0 wscale=1] 10:10 SA seq=2588730766 ack=427260297 len=0 ackskew=0 pkts=3:1 dir=in,rev pf: State failure on: 2 | 6 --- Debug output of pftpx follows: --- #1 client: EPRT |1|client.ip|52124|\r\n #1 proxy: EPRT |1|127.0.0.1|61630|\r\n #1 server: 200 EPRT command successful.\r\n #1 active: server to client port 52124 via port 61630 #1 client: LIST\r\n --- I haven't yet had a chance to test it on RELENG_6 or CURRENT but I think the code there is the same. There can be a bug in pftpx as well. Is there any other way to allow FTP server (active and passive) to run behind/on PF protected firewall? Active should work without a proxy but I want both and do not want to open up the firewall for passive without a proxy. Thanks Michal