Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 3 Oct 2008 11:56:07 +0200
From:      Max Laier <max@love2party.net>
To:        freebsd-pf@freebsd.org
Cc:        jail@freebsd.org, questions@freebsd.org, Redd Vinylene <reddvinylene@gmail.com>, pf@freebsd.org
Subject:   Re: Jail, pf and ftpd: Connection refused
Message-ID:  <200810031156.07623.max@love2party.net>
In-Reply-To: <f1019d520810030211u29325345r2e389718ba987892@mail.gmail.com>
References:  <f1019d520810030211u29325345r2e389718ba987892@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Friday 03 October 2008 11:11:57 Redd Vinylene wrote:
> Greetings ladies and gentlemen!
>
> Why does the below pf.conf (run from box1) give me
> "getpeername(control_sock): Transport endpoint is not connected,
> Socket error (Connection refused) - reconnecting" when trying to log
> onto box3 via passive FTP? Active FTP gives me "425 Can't build data
> connection: Connection refused." (box2 and box3 are jails running off
> box1)

See ftp-proxy(8).

Note that active works with the ruleset you provided (due to the "pass out 
keep state"-rule), but there is obviously a firewall problem on the client 
preventing that.

> -
>
> root@box1# cat /etc/pf.conf
>
> box1 = "80.203.2.2"
>
> box2 = "80.203.2.3"
>
> box3 = "{ 80.203.2.4 [...] 80.203.2.127 }"
>
> ext_if = "rl0"
>
> set block-policy return
>
> set skip on { lo0 }
>
> scrub in
>
> pass out keep state
>
> block in
>
> pass in on $ext_if inet proto tcp from any to any port { 22 } keep state
>
> pass in on $ext_if inet proto tcp from any to $box2 port { 25, 53, 80,
> 110 } keep state
>
> pass in on $ext_if inet proto udp from any to $box2 port 53 keep state
>
> pass in on $ext_if inet proto tcp from any to $box3 port { 20, 21, 113
> } keep state
>
> pass in on $ext_if inet proto icmp from any to any keep state
>
> -
>
> root@box3# cat /etc/inetd.conf
>
> ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
>
> -
>
> I hope I've been verbose enough. Thank you!

-- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810031156.07623.max>