Date: Tue, 8 Nov 2005 12:30:55 -0500 From: "Dave" <dmehler26@woh.rr.com> To: <freebsd-pf@freebsd.org> Subject: continuing issue with ftp from gateway Message-ID: <004f01c5e48a$2d0db520$0900a8c0@satellite>
next in thread | raw e-mail | index | archive | help
Hello,
I'm still having issues with ftp. I've got a 6.0 machine acting as a
firewall/gateway for my network of natted machines. Machines behind the
gateway can ftp passively just fine, active no. The gateway can't do either
or. I've run some tcpdump and the block by default rule is stopping incoming
responses from the server. Here's what it does:
#tcpdump -ne -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96
bytes
10:47:48.366148 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400,nop,wscale
2,[|tcp]>
10:47:51.364561 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400,nop,wscale
2,[|tcp]>
10:47:54.565823 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400,nop,wscale
2,[|tcp]>
10:47:57.764719 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
10:48:00.965150 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
10:48:04.164963 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
10:48:10.365495 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
10:48:22.566832 rule 0/0(match): block in on rl0: 130.94.149.162.20 >
65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400>
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
My inetd is running ftp-proxy and inetd is listening on 127.0.0.1 here's my
inetd.conf entry:
ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u
proxy -m 55000 -M 57000 -t 180
Here's my ftp entries in pf.conf, ext_if and int_if are my external and
internal network interfaces and int_net is a macro that says
$int_if:network, and the $tcp_state is another one that says flags S/SA
modulate state.
# Redirect lan client FTP requests (to an FTP server's control port 21)
# to the ftp-proxy running on the firewall host (via inetd on port 8021)
rdr on $int_if inet proto tcp from $int_net to any port 21 -> 127.0.0.1 port
8021
# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active FTP requests by contacting it on the port range specified in
inetd.conf
pass in quick on $ext_if inet proto tcp from any port 20 to $ext_if port
55000 >< 57000 user proxy $tcp_state
pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port
55000 >< 57000 user proxy $tcp_state
# Allow ftp-proxy packets destined to port 20 to exit $ext_if
# in order to maintain communications with the ftp server
pass out quick on $ext_if inet proto tcp from $ext_if to any port 20
$tcp_state
# Allow firewall to contact ftp server on behalf of passive ftp client
pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to
any user proxy $tcp_state
pass out quick on $ext_if inet proto tcp from $int_net port 55000:57000 to
any user proxy $tcp_state
# allow ftp connections from lan to proxy
pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021
$tcp_state
pass in quick on $int_if inet proto tcp from $int_net to $ext_if port
55000:57000 $tcp_state
Any help appreciated.
Thanks.
Dave.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004f01c5e48a$2d0db520$0900a8c0>