Date: Tue, 24 Oct 2006 01:13:44 +0200 From: Michal Mertl <mime@traveller.cz> To: freebsd-pf <freebsd-pf@freebsd.org> Subject: BAD state with pftpx Message-ID: <1161645224.1054.80.camel@genius.i.cz>
next in thread | raw e-mail | index | archive | help
I wanted to run an FTP server on a machine protected by PF on FreeBSD 6.1 p10. I use pftpx for normal client proxying (as the PF's ftp-proxy in FreeBSD is outdated and does not work for my FTP clients (Windows XP with firewall enabled does not allow the connections to originate from different IP address than the client connected to). The pftpx proxy seems to support also standing in front of FTP server. I use the following for configuring pf for the task (pftpx 0.8_1 from ports): -- nat on $ext_if from $internal_net to any -> ($ext_if) nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr on $ext_if proto tcp from any to any port ftp -> 127.0.0.1 port 8022 anchor "pftpx/*" -- I run pftpx with "pftpx -c 8022 -f 127.0.0.1 -d -D 7" and stock ftpd with "ftpd -D -a 127.0.0.1". The connection from outside is established and I can do passive transfers. Active ones (either PORT or EPRT) don't work and with "set debug loud" in /etc/pf.conf I see these messages on the console: --- pf: BAD state: TCP 127.0.0.1:20 server.ip:59188 client.ip:52124 [lo=427260297 high=427325833 win=65535 modulator=0 wscale=1] [lo=3208002793 high=3208068329 win=32768 modulator=0 wscale=1] 10:10 SA seq=2588730766 ack=427260297 len=0 ackskew=0 pkts=3:1 dir=in,rev pf: State failure on: 2 | 6 --- Debug output of pftpx follows: --- #1 client: EPRT |1|client.ip|52124|\r\n #1 proxy: EPRT |1|127.0.0.1|61630|\r\n #1 server: 200 EPRT command successful.\r\n #1 active: server to client port 52124 via port 61630 #1 client: LIST\r\n --- I haven't yet had a chance to test it on RELENG_6 or CURRENT but I think the code there is the same. There can be a bug in pftpx as well. Is there any other way to allow FTP server (active and passive) to run behind/on PF protected firewall? Active should work without a proxy but I want both and do not want to open up the firewall for passive without a proxy. Thanks Michal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1161645224.1054.80.camel>