From owner-freebsd-pf@FreeBSD.ORG  Fri Jan  8 20:51:03 2010
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8D6D91065696
	for <freebsd-pf@freebsd.org>; Fri,  8 Jan 2010 20:51:03 +0000 (UTC)
	(envelope-from m.keith.thompson@gmail.com)
Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com
	[209.85.218.213])
	by mx1.freebsd.org (Postfix) with ESMTP id 18BE98FC1E
	for <freebsd-pf@freebsd.org>; Fri,  8 Jan 2010 20:51:02 +0000 (UTC)
Received: by bwz5 with SMTP id 5so12639356bwz.3
	for <freebsd-pf@freebsd.org>; Fri, 08 Jan 2010 12:50:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:in-reply-to:references
	:date:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=FwL4AS8grYlvq85mlaqWk0U4mrI0LRvf8p67n7BxfGg=;
	b=n7fTthDv9HFZRbFbhXtpWmQxGTzzAWeVoB393hOQXFLy6HjHk6Uj3U0cXhGveqVAbU
	qLPvkdz+o+H5w2zQpTFRjNGXTUU4USYwtpr4Irz+xgBKa1pUjmStPdRoC80SMIpozHWz
	Bgn0PbXRwnJ2/aKZWMZCJA1XHbKj1xjAqzu4Y=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	b=Mdp5GLxMotWzFcrk4gpX9nbEgLT/GvQZdbqBBoSg/W9rFnWdPfjzlIY1TP1WSAAyaH
	opX7KK6+CjltnQEbsISkdGFgZTmJl+HeiVdQssUGuDXYYDLeke1Es24O1LD4ieMpkLvX
	9JY2459sCxmBh8E1r7Ql+49s1Dxwr9RlquL5E=
MIME-Version: 1.0
Received: by 10.204.156.28 with SMTP id u28mr2907309bkw.74.1262983856998; Fri, 
	08 Jan 2010 12:50:56 -0800 (PST)
In-Reply-To: <fc2243911001080551n251851b5kb56a6c5f216c4a14@mail.gmail.com>
References: <fc2243911001060809m5417b810vf2ed40c8a969fb5f@mail.gmail.com>
	<7731938b1001060923n5de4b511of07b8c63cff4e011@mail.gmail.com>
	<fc2243911001060957n16f906f7m703c696b970e8c3c@mail.gmail.com>
	<2cf1d0681001071216p6b516e9egcf7401f2b38e3c3d@mail.gmail.com>
	<19861fba1001071237ncc440d5u1ab280d2aaf0c72f@mail.gmail.com>
	<fc2243911001071319q4bbbc4a6o6b58031bba59c39b@mail.gmail.com>
	<19861fba1001072018g115a0bccrf9510a38454cc9db@mail.gmail.com>
	<fc2243911001080551n251851b5kb56a6c5f216c4a14@mail.gmail.com>
Date: Fri, 8 Jan 2010 14:50:56 -0600
Message-ID: <fc2243911001081250n4471d9d8kf5bcf691d2cbd50d@mail.gmail.com>
From: "M. Keith Thompson" <m.keith.thompson@gmail.com>
To: J65nko <j65nko@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-pf@freebsd.org
Subject: Re: ftp problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2010 20:51:03 -0000

It looks like it was a tcp windowing problem.  The command: "sysctl -w
sysctl net.inet.tcp.rfc1323=3D0"
fixed the problem.

Thanks for all of the suggestions and help.


On Fri, Jan 8, 2010 at 7:51 AM, M. Keith Thompson
<m.keith.thompson@gmail.com> wrote:
> On Thu, Jan 7, 2010 at 10:18 PM, J65nko <j65nko@gmail.com> wrote:
>> On Thu, Jan 7, 2010 at 10:19 PM, M. Keith Thompson
>> <m.keith.thompson@gmail.com> wrote:
>>> On Thu, Jan 7, 2010 at 2:37 PM, J65nko <j65nko@gmail.com> wrote:
>>>>> # SSH from NetEng subnet
>>>>> pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port
>>>>> 22 keep state
>>>>>
>>>>> # Allow inside network to ping the server
>>>>> pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep sta=
te
>>>>>
>>>>> # Allow DNS lookups
>>>>> pass out quick on $ext_if proto udp to any port 53
>>>>> pass out quick on $ext_if proto tcp to any port 53 keep state
>>>>>
>>>>> # Allow ftp
>>>>> pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep s=
tate
>>>>> pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 k=
eep state
>>>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP
>>>>> port 20 keep state
>>>>>
>>>>> --- end of pf.conf =A0----------------------
>>
>> With ftp the client initiates the ftp command channel
>> =A0 client:port >1023 =A0 ---> server:port 21
>>
>> The passive ftp data channel is initiated by the client
>> =A0 =A0client:port >1023 =A0---> server:port>1023
>>
>> Your second rule takes care of this
>>
>> The active ftp data channel is initiated by the ftp server
>> using and that is kind of weird, port 20 (ftp-data), as source port.
>> =A0 =A0 =A0server:port 20 =A0 ---> clientLport >1023
>>
>> You meant to pass active ftp with this rule:
>>
>>>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP
>>>>> port 20 keep state
>>
>> But it should be:
>> =A0 =A0pass out quick on $ext_if inet proto tcp from any port ftp-data
>> =A0 =A0to $ext_IP port > 10000 keep state
>
> I will make that change
>
>> BTW you have a nice pf debug friendly "block log all" default policy.
>> Does "tcpdump -eni pflog0" on the pf box show any blocked packets?
>
> tcpdump of the pflog0 does not show any packets from or to the IP in ques=
tion.
>
>> RE: ftp-proxy
>> This just adds complexitiy, after everything is working you could add it=
 in.
>>
>> RE: active ftp user requirement
>> Yes, I understand, it is the users who help us pay our mortgage ;)
>>
>