Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Oct 2012 17:16:52 -0700 (PDT)
From:      Duckbreath <>
To:        "" <>
Subject:   P w/ ftp-proxy, using both active/passive FTP
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
=0AMy goal is to get my FTP server working for both passive and active type=
 FTP connections with the following =0Aconditions:=0A1) Running PF firewall=
 on a FreeBSD machine, which is also the FTP machine.=0A2) Without opening =
up all ports > 1024 (or any upper-swath of ports), except where this occurs=
 dynamically.=0A=0AI have chosen to take an ftp-proxy based solution.=A0 I'=
m also limited to 1 box here, so ftp-proxy is running on the =0Asame machin=
e as the target FTP server, although I understand it is typically used in a=
 gateway/forwarding situation.=0A=0AAfter a lot of playing around with my f=
irewall rules, I've ended up in a mutually exclusive situation.=0A=0AWith t=
his line:=0Ardr pass on $std_int proto tcp from any to $std_int port 21 -> = port 8021=0A=0APASSIVE FTP WORKS!! Yay!!!!=A0 Woooo *cheering in =
background*.=0ABut.... Active fails.=0A=0AIf I comment it out, in thus fash=
ion:=0A#rdr pass on $std_int proto tcp from any to $std_int port 21 -> 127.=
0.0.1 port 8021=0A=0AACTIVE FTP WORKS!! Yay!!!! Wooooo *cheering in backgro=
und*.=0ABut..... Passive fails.=0A=0AI would also like to mention that just=
 commenting it out and restarting the firewall is all I did.=A0 ftp-proxy s=
erver =0Aprocess is still running.=A0 Also both tests were from the same ho=
st, using the same ftp program, with only =0Aactive/passive settings on ftp=
 client used appropriately for each respective test; all other settings ide=
ntical.=0A=0A=0ASo I took a look at the handbook, which claimed I need to u=
nderstand active/passive better (although I thought =0AI already did... fun=
ny how that works?) - and the handbook linked the site
/other/ftp.html=0A=0AHere I got this awesome description from slacksite:=0A=
"In active mode FTP the client connects from a random unprivileged port (N =
> 1023) to the FTP server's command port, =0Aport 21. Then, the client star=
ts listening to port N+1 and sends the FTP command PORT N+1 to the FTP serv=
er. =0AThe server will then connect back to the client's specified data por=
t from its local data port, which is port 20."=0A=0ASo my first assumption =
was, "Either I can't connect to the client's local port, or my firewall isn=
't letting anything =0Aout on port 20."=A0 I look at the rules... hmm, don'=
t think so.=A0 I just open up everything and try anyway,=0Atry ftp-proxy wi=
th & without "-r" option, and no dice.=A0 Same situation for both tests.=A0=
 Nothing changes.=0A=0AExamples of what I put in:=0Apass in quick on $std_i=
nt proto tcp from any to any=0Apass out quick on $std_int proto tcp from an=
y to any=0Abelow rdr directive (which is required by pf.conf ordering).=0A=
=0A=0AThen I have a Face Palm.... exactly how did any of that have to do wi=
th it working when the rule was commented out?=A0 Absolutely nothing, that'=
s what!=A0 I feel like such an idiot!!=0A=0AOk.. so what does that rule mea=
n?=A0 Let's revisit the rule:=0Ardr pass on $std_int proto tcp from any to =
$std_int port 21 -> port 8021=0A=0ASo all traffic on port 21, eit=
her in or out, goes to localhost 8021.=A0 Hmmmm.=A0 The rule failed when I =
tried to =0Aspecify 'in' or 'out' on the rdr directive.=A0 I don't think pf=
 works rdr that way.=0A=0AMy only logical conclusion is FTP has become stub=
born and is using Active mode on port 21, and not 20, for whatever =0Areaso=
n.=A0 The connection starts to succeed, but then the ACK packet from the cl=
ient of course gets redirected to 8021, =0Aand the active connection being =
attempted from 21 misses it, resulting in a "half-open" connection, thus ca=
using the =0AFTP data channel to fail.=A0 It is the only possible explanati=
on I can come up with, yet that is not in =0Aaccordance to know what I know=
 about FTP behavior (i.e., according to slacksite's description).=0A=0ASome=
where between convention and the IETF, I think I got lost.=0A=0ADoes anyone=
 know how to get passive + active both working with the stated goals of usi=
ng PF w/ ftp-proxy?=0A=0AIf this question is outside the scope of this list=
 but better suited to be asked freebsd-pf, apologies in advance.=A0 Since t=
he question is not about the development of the firewall itself, I thought =
it appropriate to ask here.=0A
From owner-freebsd-questions@FreeBSD.ORG  Wed Oct 10 01:51:38 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: from ( [])
 by (Postfix) with ESMTP id C1E7A667
 for <>; Wed, 10 Oct 2012 01:51:38 +0000 (UTC)
Received: from ( [])
 by (Postfix) with ESMTP id D6DD88FC16
 for <>; Wed, 10 Oct 2012 01:51:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;
 s=s110527; h=Received:Date:From:To:Subject:Content-Type:
 MIME-Version:Message-ID; bh=zE/eJywrfYWOS5JrMLufYtyY4Y6GDDJXJa5J
 dBL4Heo=; b=LI/cqsq17fl0iFbHH/Tbdkem52QVbKGTCdSYGVq835m0SwiZG+lj
Received: from idyk6917$ ( [] ) by ajax-webmail-wmsvr64
 (Coremail) ; Wed, 10 Oct 2012 09:51:33 +0800 (CST)
X-Originating-IP: []
Date: Wed, 10 Oct 2012 09:51:33 +0800 (CST)
From: idyk6917 <>
Subject: efgssdfg
X-Priority: 3
X-Mailer: Coremail Webmail Server Version SP_ntes V3.5 build
 20120914(19817.4926.4909) Copyright (c) 2002-2012 126com
X-CM-CTRLDATA: ACnzJ2Zvb3Rlcl9odG09MTQ1Mjo4MQ==
MIME-Version: 1.0
Message-ID: <>
X-CM-SenderInfo: plg1ylqzrxqiyswou0bp/1tbitRNC+UX9jDcnAAABs4
X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU==
Content-Type: text/plain; charset=gbk
Content-Transfer-Encoding: base64
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <>
List-Unsubscribe: <>, 
List-Archive: <>;
List-Post: <>
List-Help: <>
List-Subscribe: <>, 
X-List-Received-Date: Wed, 10 Oct 2012 01:51:38 -0000

From owner-freebsd-questions@FreeBSD.ORG  Wed Oct 10 02:01:32 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: from ( [])
 by (Postfix) with ESMTP id 72F54899
 for <>; Wed, 10 Oct 2012 02:01:32 +0000 (UTC)
Received: from ( [])
 by (Postfix) with ESMTP id 2FD048FC08
 for <>; Wed, 10 Oct 2012 02:01:31 +0000 (UTC)
Received: from ( [])
 by (8.14.0/8.14.3) with ESMTP id q9A1tPpK020836
 for <>; Tue, 9 Oct 2012 18:55:25 -0700
Received: from (localhost [])
 by (8.14.4/8.14.4) with ESMTP id q9A1tSWD030030
 for <>; Tue, 9 Oct 2012 18:55:28 -0700
Received: (from joji@localhost)
 by (8.14.4/8.14.4/Submit) id q9A1tSKE030029
 for; Tue, 9 Oct 2012 18:55:28 -0700
Date: Tue, 9 Oct 2012 18:55:28 -0700
From: Joseph Olatt <>
Subject: freebsd-texlive port
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-12-10)
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <>
List-Unsubscribe: <>, 
List-Archive: <>;
List-Post: <>
List-Help: <>
List-Subscribe: <>, 
X-List-Received-Date: Wed, 10 Oct 2012 02:01:32 -0000


According to:

I got the impression that the texlive is now available in the ports. My
understanding was that we no longer need to use portshaker(8). I've
updated svn of ports to r305607 and I still don't see texlive* in 
/usr/ports/print or any where in /usr/ports.

I'm running: FreeBSD 9.0 STABLE i386

Can any TeX Live / LaTeX users on the list shed some light?


Want to link to this message? Use this URL: <>