Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 06 Apr 2007 14:01:36 +0200
From:      Kyrre =?iso-8859-1?Q?Nyg=E5rd?= <kyrreny@broadpark.no>
To:        questions@freebsd.org
Subject:   pf + ftpd: Socket error (Connection refused)
Message-ID:  <0JG200M3CS2ORAC0@osl1sminn1.broadpark.no>
next in thread | raw e-mail | index | archive | help 

Hello!

My FreeBSD server (HTTP, SMTP, PF, NAT etc.) is running its native 
ftpd along with pf and its ftp-proxy. But after a recent make world, 
outsiders could no longer connect to this ftpd:

    <--- 227 Entering Passive Mode (80,204,208,30,208,212)
    ---- Connecting data socket to (80.204.208.30) port 53460
    **** Socket error (Connection refused)

Nor with active mode:

    <--- 200 PORT command successful.
    ---> LIST

My server's external interface is 80.204.208.30 (ADSL), and my 
internal interface is 192.168.187.1, which connects to my workstation 
192.168.187.2.

All works well, except ftpd. My pf.conf was inspired by 
http://www.openbsd.org/faq/pf/example1.html

    ##### /etc/pf.conf

    ext_if="rl0"
    int_if="ep0"

    set block-policy return

    set skip on { lo }

    scrub in

    nat on $ext_if from $int_if:network to any -> ($ext_if)

    nat-anchor "ftp-proxy/*"
    rdr-anchor "ftp-proxy/*"

    rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
    rdr on $ext_if proto tcp from any to any port 53333:55555 -> 
192.168.187.2 port 53333:55555

    block in

    pass quick on $int_if

    pass out keep state

    anchor "ftp-proxy/*"

    antispoof quick for { lo $int_if }

    pass in on $ext_if inet proto tcp from any to ($ext_if) port { 
21, 22, 25, 53, 80, 110, 113, 143 } keep state
    pass in on $ext_if inet proto udp from any to ($ext_if) port 53 keep state

    pass in inet proto icmp from any to any keep state

    pass in on $ext_if inet proto tcp from any to any port 
53333:55555 keep state

Any suggestions to improve or simplify my ruleset are warmly 
welcomed. Ffor instance, why does it need 3 instances of what seems 
like the same thing? nat-anchor "ftp-proxy/*", rdr-anchor 
"ftp-proxy/*" and then anchor "ftp-proxy/*"?

    ##### /etc/inetd.conf

    ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
    ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy

Thanks a lot for your time.

--Kyrre

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0JG200M3CS2ORAC0>