Date: Sun, 10 Sep 2006 21:03:38 +0200 From: phoemix@harmless.hu (Gergely CZUCZY) To: freebsd-pf@freebsd.org Subject: ftp-proxy in reverse mode Message-ID: <20060910190338.GA6666@marvin.harmless.hu>
next in thread | raw e-mail | index | archive | help
--xHFwDpU9dbj6ez1V
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
hello
i've got a bit of trouble with ftp-proxy in reverse mode. it
doesn't connects to the service.
the setup is:
external interface: em0 with address 10.1.0.6
The FTP server is running in a jail.
jail interface: lo1, ftp-jail address: 192.168.0.3
I don't have any blocking rules for the incoming connectin
=66rom em0->lo1(192.168.0.3) in my firewall,.
The ftp-proxy is being run this way from inetd.conf:
ftp stream tcp nowait root /usr/libexec/ftp-proxy -R 1=
92.168.0.3:21 -D 3 -u root -v
i've tried without the :21, without -u root, with -u proxy, and also had tr=
ied with
the argumetns "-R -R 192.168.0.3 ftp-proxy"
however, i was unable to find out that /ftp-proxy$/ what does mean at the
end of the inetd.conf line, neither manuals helped.
tcpdump on lo1 (the jail if) doesn't report any incoming packets.
tcpdump on em0 (the external if) reports the following:
--- chop with axe here ---
20:32:16.033946 IP 10.1.0.1.54394 > 10.1.0.6.21: S 2387744030:2387744030(0)=
win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 44584936 0,sackOK,eol>
20:32:16.034024 IP 10.1.0.6.21 > 10.1.0.1.54394: S 2368841291:2368841291(0)=
ack 2387744031 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 7498506 =
44584936,sackOK,eol>
20:32:16.034189 IP 10.1.0.1.54394 > 10.1.0.6.21: . ack 1 win 33304 <nop,nop=
,timestamp 44584937 7498506>
20:32:16.036771 IP 10.1.0.6.21 > 10.1.0.1.54394: F 1:1(0) ack 1 win 33304 <=
nop,nop,timestamp 7498509 44584937>
20:32:16.036944 IP 10.1.0.1.54394 > 10.1.0.6.21: . ack 2 win 33304 <nop,nop=
,timestamp 44584939 7498509>
20:32:16.037063 IP 10.1.0.1.54394 > 10.1.0.6.21: F 1:1(0) ack 2 win 33304 <=
nop,nop,timestamp 44584939 7498509>
20:32:16.037091 IP 10.1.0.6.21 > 10.1.0.1.54394: . ack 2 win 33303 <nop,nop=
,timestamp 7498509 44584939>
--- chop with axe here ---
as you see on the inetd.conf line, i asked ftp-proxy to be verbose, but
i don't see any messages in debug.log
i've tried to ktrace the inetd process and after it, connect to
the service:
--- chop with axe here ---
# ktrace -d -f inetd.tr -p 17261
# kdump -f inetd.tr | less
17261 inetd RET select 1
17261 inetd CALL ioctl(0x6,FIONBIO,0xbfbfd5dc)
17261 inetd RET ioctl 0
17261 inetd CALL accept(0x6,0,0)
17261 inetd RET accept 8
17261 inetd CALL ioctl(0x6,FIONBIO,0xbfbfd5dc)
17261 inetd RET ioctl 0
17261 inetd CALL ioctl(0x8,FIONBIO,0xbfbfd5dc)
17261 inetd RET ioctl 0
17261 inetd CALL sigprocmask(0x1,0xbfbfd560,0xbfbfd550)
17261 inetd RET sigprocmask 0
17261 inetd CALL gettimeofday(0x8064124,0)
17261 inetd RET gettimeofday 0
17261 inetd CALL fork
17261 inetd RET fork 17294/0x438e
17261 inetd CALL sigprocmask(0x3,0xbfbfd560,0xbfbfd550)
17261 inetd RET sigprocmask 0
17261 inetd PSIG SIGCHLD caught handler=3D0x804a288 mask=3D0x0 code=3D=
0x0
17261 inetd CALL write(0x7,0xbfbfd207,0x1)
17261 inetd GIO fd 7 wrote 1 byte
"C"
17261 inetd RET write 1
17261 inetd CALL sigreturn(0xbfbfd230)
17261 inetd RET sigreturn JUSTRETURN
17261 inetd CALL close(0x8)
17261 inetd RET close 0
17261 inetd CALL select(0x8,0xbfbfe2d0,0,0,0)
17261 inetd RET select 1
17261 inetd CALL ioctl(0x4,FIONREAD,0xbfbfd5e4)
17261 inetd RET ioctl 0
17261 inetd CALL read(0x4,0xbfbfd5e3,0x1)
17261 inetd GIO fd 4 read 1 byte
"C"
17261 inetd RET read 1
17261 inetd CALL wait4(0xffffffff,0xbfbfd568,0x1,0)
17261 inetd RET wait4 17294/0x438e
17261 inetd CALL wait4(0xffffffff,0xbfbfd568,0x1,0)
17261 inetd RET wait4 -1 errno 10 No child processes
17261 inetd CALL select(0x8,0xbfbfe2d0,0,0,0)
--- chop with axe here ---
i had asked ktrace to follow the child proceses, but as i see
it is missing from here.
So, ftp proxy doesn't forward any connections to the running
ftp service. what am i doing wrong here?
Bye,
Gergely Czuczy
mailto: gergely.czuczy@harmless.hu
PGP: http://phoemix.harmless.hu/phoemix.pgp
Weenies test. Geniuses solve problems that arise.
--xHFwDpU9dbj6ez1V
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFFBGGKbBsEN0U7BV0RAiaaAKDWJXir+9InTiOomvwbMiB4kSKz7ACfX8bO
GtwTUbE9I+vcDAgD1qwqkRM=
=BXJO
-----END PGP SIGNATURE-----
--xHFwDpU9dbj6ez1V--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060910190338.GA6666>