Date: Tue, 9 Oct 2012 17:16:52 -0700 (PDT) From: Duckbreath <duckbreath@yahoo.com> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: P w/ ftp-proxy, using both active/passive FTP Message-ID: <1349828212.549.YahooMailNeo@web122903.mail.ne1.yahoo.com>
next in thread | raw e-mail | index | archive | help
=0AMy goal is to get my FTP server working for both passive and active type= FTP connections with the following =0Aconditions:=0A1) Running PF firewall= on a FreeBSD machine, which is also the FTP machine.=0A2) Without opening = up all ports > 1024 (or any upper-swath of ports), except where this occurs= dynamically.=0A=0AI have chosen to take an ftp-proxy based solution.=A0 I'= m also limited to 1 box here, so ftp-proxy is running on the =0Asame machin= e as the target FTP server, although I understand it is typically used in a= gateway/forwarding situation.=0A=0AAfter a lot of playing around with my f= irewall rules, I've ended up in a mutually exclusive situation.=0A=0AWith t= his line:=0Ardr pass on $std_int proto tcp from any to $std_int port 21 -> = 127.0.0.1 port 8021=0A=0APASSIVE FTP WORKS!! Yay!!!!=A0 Woooo *cheering in = background*.=0ABut.... Active fails.=0A=0AIf I comment it out, in thus fash= ion:=0A#rdr pass on $std_int proto tcp from any to $std_int port 21 -> 127.= 0.0.1 port 8021=0A=0AACTIVE FTP WORKS!! Yay!!!! Wooooo *cheering in backgro= und*.=0ABut..... Passive fails.=0A=0AI would also like to mention that just= commenting it out and restarting the firewall is all I did.=A0 ftp-proxy s= erver =0Aprocess is still running.=A0 Also both tests were from the same ho= st, using the same ftp program, with only =0Aactive/passive settings on ftp= client used appropriately for each respective test; all other settings ide= ntical.=0A=0A=0ASo I took a look at the handbook, which claimed I need to u= nderstand active/passive better (although I thought =0AI already did... fun= ny how that works?) - and the handbook linked the site http://slacksite.com= /other/ftp.html=0A=0AHere I got this awesome description from slacksite:=0A= "In active mode FTP the client connects from a random unprivileged port (N = > 1023) to the FTP server's command port, =0Aport 21. Then, the client star= ts listening to port N+1 and sends the FTP command PORT N+1 to the FTP serv= er. =0AThe server will then connect back to the client's specified data por= t from its local data port, which is port 20."=0A=0ASo my first assumption = was, "Either I can't connect to the client's local port, or my firewall isn= 't letting anything =0Aout on port 20."=A0 I look at the rules... hmm, don'= t think so.=A0 I just open up everything and try anyway,=0Atry ftp-proxy wi= th & without "-r" option, and no dice.=A0 Same situation for both tests.=A0= Nothing changes.=0A=0AExamples of what I put in:=0Apass in quick on $std_i= nt proto tcp from any to any=0Apass out quick on $std_int proto tcp from an= y to any=0Abelow rdr directive (which is required by pf.conf ordering).=0A= =0A=0AThen I have a Face Palm.... exactly how did any of that have to do wi= th it working when the rule was commented out?=A0 Absolutely nothing, that'= s what!=A0 I feel like such an idiot!!=0A=0AOk.. so what does that rule mea= n?=A0 Let's revisit the rule:=0Ardr pass on $std_int proto tcp from any to = $std_int port 21 -> 127.0.0.1 port 8021=0A=0ASo all traffic on port 21, eit= her in or out, goes to localhost 8021.=A0 Hmmmm.=A0 The rule failed when I = tried to =0Aspecify 'in' or 'out' on the rdr directive.=A0 I don't think pf= works rdr that way.=0A=0AMy only logical conclusion is FTP has become stub= born and is using Active mode on port 21, and not 20, for whatever =0Areaso= n.=A0 The connection starts to succeed, but then the ACK packet from the cl= ient of course gets redirected to 8021, =0Aand the active connection being = attempted from 21 misses it, resulting in a "half-open" connection, thus ca= using the =0AFTP data channel to fail.=A0 It is the only possible explanati= on I can come up with, yet that is not in =0Aaccordance to know what I know= about FTP behavior (i.e., according to slacksite's description).=0A=0ASome= where between convention and the IETF, I think I got lost.=0A=0ADoes anyone= know how to get passive + active both working with the stated goals of usi= ng PF w/ ftp-proxy?=0A=0AIf this question is outside the scope of this list= but better suited to be asked freebsd-pf, apologies in advance.=A0 Since t= he question is not about the development of the firewall itself, I thought = it appropriate to ask here.=0A From owner-freebsd-questions@FreeBSD.ORG Wed Oct 10 01:51:38 2012 Return-Path: <owner-freebsd-questions@FreeBSD.ORG> Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C1E7A667 for <questions@freebsd.org>; Wed, 10 Oct 2012 01:51:38 +0000 (UTC) (envelope-from idyk6917@126.com) Received: from m15-64.126.com (m15-64.126.com [220.181.15.64]) by mx1.freebsd.org (Postfix) with ESMTP id D6DD88FC16 for <questions@freebsd.org>; Wed, 10 Oct 2012 01:51:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=126.com; s=s110527; h=Received:Date:From:To:Subject:Content-Type: MIME-Version:Message-ID; bh=zE/eJywrfYWOS5JrMLufYtyY4Y6GDDJXJa5J dBL4Heo=; b=LI/cqsq17fl0iFbHH/Tbdkem52QVbKGTCdSYGVq835m0SwiZG+lj yRMx8anuwSJYZ1B1U+GJ54JAurbiCDYaa85xkviUmqEzCcj2cWD5Ppd/qfWj8axn ZRQO5R68YGYILcZAMW6KeQiv/GHfllbGqF2Wy0dJZo6MpIevp76LY5U= Received: from idyk6917$126.com ( [183.31.201.163] ) by ajax-webmail-wmsvr64 (Coremail) ; Wed, 10 Oct 2012 09:51:33 +0800 (CST) X-Originating-IP: [183.31.201.163] Date: Wed, 10 Oct 2012 09:51:33 +0800 (CST) From: idyk6917 <idyk6917@126.com> To: questions@freebsd.org Subject: efgssdfg X-Priority: 3 X-Mailer: Coremail Webmail Server Version SP_ntes V3.5 build 20120914(19817.4926.4909) Copyright (c) 2002-2012 www.mailtech.cn 126com X-CM-CTRLDATA: ACnzJ2Zvb3Rlcl9odG09MTQ1Mjo4MQ== MIME-Version: 1.0 Message-ID: <27e73253.14ca0.13a485ea7da.Coremail.idyk6917@126.com> X-CM-TRANSID: QMqowEA530Ol1HRQO5oUAA--.2232W X-CM-SenderInfo: plg1ylqzrxqiyswou0bp/1tbitRNC+UX9jDcnAAABs4 X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU== Content-Type: text/plain; charset=gbk Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>; List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 10 Oct 2012 01:51:38 -0000 vfHE6sewOLj21MKjrLmk0NDGsb7d06rStbK/wNu8xsaxvt29u9LXwb82NDA00trUqqOszayxyNT2 vNMzMTIz0trUqqOs1Pa3+Tk1JaGj1rW1w9K7zOG1xMrHo6zOqjY3vNLW0NChxvPStdaxvdOw7MDt xrG+3cz5z9bStc7xNjI1scqjrL3wtu4yMS4yONLa1Kqju8DbvMbC8sjrMS44zfK80tbQ0KHG89K1 16rM+c/WxrG+3TIxNTXS2tSqCtK1xNq31s72yMvKv8jPzqqjrNTa0MW0+7nmxKPP4LbUv+3LyaOs u/LV39K7sOPQ1LT7v+7Q6Mfzz+C21LK71+O1xMfpv/bPwqOsxrG+3cja18rT4Lbuvc+/7NT2s6Sj rL3wyNq7+rm5wPvTw8axvt3I2tfK1/a087T7v+7T4LbuoaO21NPa0KHG89K1tvjR1KOs0+u3otDQ ucnGsaGi1a7Ir6Gi0vjQ0L3otPu1yLbg1tbI2tfKx/61wM/gscijrMaxvt3I2tfKuPzE3Lm709DQ p73ivvbU2tL40NC0+7/uxNGhos/e1sbM9bz+tuC1yM7KzOKjrLKix9LE3Lm71Nq9z7bMtcTKsbzk xNq1zbPJsb7EvLyv18q98KGjCtPQubK3orP2tb3KsbzkxrHE2s3qs8kKvt28x9Xfwcu94qOs1tDQ ocbz0rW/zbunxrG+3cja18q1xMG0zPWx7c/WzqqjutGwx/PS+NDQtPu/7i3Xqruvzqq05r/ut8XU 2tL40NAtv827p9LUtMu05r/uv6qz9jEwMCWxo9akvfC1xNL40NCz0LbSu+PGsS278bXDxrG+3brz v827p9TZ0bDV0saxvt3W0L3psPzXsMOz0texs76wLdTZtb3S+NDQzPnP1i278bXD18q98KOstauy u8nZxvPStbbUw7PS18ja18qxs76wvfjQ0NDpvNmhsLD817AKCtfJ0a86osWix6LNODAwosqizaLJ osYKCrmry76/ybHtyKXJz7qjv6q74bXE From owner-freebsd-questions@FreeBSD.ORG Wed Oct 10 02:01:32 2012 Return-Path: <owner-freebsd-questions@FreeBSD.ORG> Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 72F54899 for <freebsd-questions@freebsd.org>; Wed, 10 Oct 2012 02:01:32 +0000 (UTC) (envelope-from joji@eskimo.com) Received: from ultra7.eskimo.com (ultra7.eskimo.com [204.122.16.70]) by mx1.freebsd.org (Postfix) with ESMTP id 2FD048FC08 for <freebsd-questions@freebsd.org>; Wed, 10 Oct 2012 02:01:31 +0000 (UTC) Received: from shellx.eskimo.com (root@shellx.eskimo.com [204.122.16.5]) by ultra7.eskimo.com (8.14.0/8.14.3) with ESMTP id q9A1tPpK020836 for <freebsd-questions@freebsd.org>; Tue, 9 Oct 2012 18:55:25 -0700 Received: from shellx.eskimo.com (localhost [127.0.0.1]) by shellx.eskimo.com (8.14.4/8.14.4) with ESMTP id q9A1tSWD030030 for <freebsd-questions@freebsd.org>; Tue, 9 Oct 2012 18:55:28 -0700 Received: (from joji@localhost) by shellx.eskimo.com (8.14.4/8.14.4/Submit) id q9A1tSKE030029 for freebsd-questions@freebsd.org; Tue, 9 Oct 2012 18:55:28 -0700 Date: Tue, 9 Oct 2012 18:55:28 -0700 From: Joseph Olatt <joji@eskimo.com> To: freebsd-questions@freebsd.org Subject: freebsd-texlive port Message-ID: <20121010015528.GA29059@shellx.eskimo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-12-10) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>; List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 10 Oct 2012 02:01:32 -0000 Hi, According to: http://code.google.com/p/freebsd-texlive I got the impression that the texlive is now available in the ports. My understanding was that we no longer need to use portshaker(8). I've updated svn of ports to r305607 and I still don't see texlive* in /usr/ports/print or any where in /usr/ports. I'm running: FreeBSD 9.0 STABLE i386 Can any TeX Live / LaTeX users on the list shed some light? Thanks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1349828212.549.YahooMailNeo>