Date: Fri, 8 Jan 2010 14:50:56 -0600 From: "M. Keith Thompson" <m.keith.thompson@gmail.com> To: J65nko <j65nko@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: ftp problem Message-ID: <fc2243911001081250n4471d9d8kf5bcf691d2cbd50d@mail.gmail.com> In-Reply-To: <fc2243911001080551n251851b5kb56a6c5f216c4a14@mail.gmail.com> References: <fc2243911001060809m5417b810vf2ed40c8a969fb5f@mail.gmail.com> <7731938b1001060923n5de4b511of07b8c63cff4e011@mail.gmail.com> <fc2243911001060957n16f906f7m703c696b970e8c3c@mail.gmail.com> <2cf1d0681001071216p6b516e9egcf7401f2b38e3c3d@mail.gmail.com> <19861fba1001071237ncc440d5u1ab280d2aaf0c72f@mail.gmail.com> <fc2243911001071319q4bbbc4a6o6b58031bba59c39b@mail.gmail.com> <19861fba1001072018g115a0bccrf9510a38454cc9db@mail.gmail.com> <fc2243911001080551n251851b5kb56a6c5f216c4a14@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
It looks like it was a tcp windowing problem. The command: "sysctl -w sysctl net.inet.tcp.rfc1323=3D0" fixed the problem. Thanks for all of the suggestions and help. On Fri, Jan 8, 2010 at 7:51 AM, M. Keith Thompson <m.keith.thompson@gmail.com> wrote: > On Thu, Jan 7, 2010 at 10:18 PM, J65nko <j65nko@gmail.com> wrote: >> On Thu, Jan 7, 2010 at 10:19 PM, M. Keith Thompson >> <m.keith.thompson@gmail.com> wrote: >>> On Thu, Jan 7, 2010 at 2:37 PM, J65nko <j65nko@gmail.com> wrote: >>>>> # SSH from NetEng subnet >>>>> pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port >>>>> 22 keep state >>>>> >>>>> # Allow inside network to ping the server >>>>> pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep sta= te >>>>> >>>>> # Allow DNS lookups >>>>> pass out quick on $ext_if proto udp to any port 53 >>>>> pass out quick on $ext_if proto tcp to any port 53 keep state >>>>> >>>>> # Allow ftp >>>>> pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep s= tate >>>>> pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 k= eep state >>>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP >>>>> port 20 keep state >>>>> >>>>> --- end of pf.conf =A0---------------------- >> >> With ftp the client initiates the ftp command channel >> =A0 client:port >1023 =A0 ---> server:port 21 >> >> The passive ftp data channel is initiated by the client >> =A0 =A0client:port >1023 =A0---> server:port>1023 >> >> Your second rule takes care of this >> >> The active ftp data channel is initiated by the ftp server >> using and that is kind of weird, port 20 (ftp-data), as source port. >> =A0 =A0 =A0server:port 20 =A0 ---> clientLport >1023 >> >> You meant to pass active ftp with this rule: >> >>>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP >>>>> port 20 keep state >> >> But it should be: >> =A0 =A0pass out quick on $ext_if inet proto tcp from any port ftp-data >> =A0 =A0to $ext_IP port > 10000 keep state > > I will make that change > >> BTW you have a nice pf debug friendly "block log all" default policy. >> Does "tcpdump -eni pflog0" on the pf box show any blocked packets? > > tcpdump of the pflog0 does not show any packets from or to the IP in ques= tion. > >> RE: ftp-proxy >> This just adds complexitiy, after everything is working you could add it= in. >> >> RE: active ftp user requirement >> Yes, I understand, it is the users who help us pay our mortgage ;) >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fc2243911001081250n4471d9d8kf5bcf691d2cbd50d>