From owner-freebsd-bugs@FreeBSD.ORG Fri Feb 4 06:20:17 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8C6B16A4CE for ; Fri, 4 Feb 2005 06:20:17 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A2B143D5E for ; Fri, 4 Feb 2005 06:20:17 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j146KHIc018663 for ; Fri, 4 Feb 2005 06:20:17 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j146KG69018661; Fri, 4 Feb 2005 06:20:16 GMT (envelope-from gnats) Resent-Date: Fri, 4 Feb 2005 06:20:16 GMT Resent-Message-Id: <200502040620.j146KG69018661@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Peter Much Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4103C16A4CE for ; Fri, 4 Feb 2005 06:12:17 +0000 (GMT) Received: from uucp.dinoex.sub.de (uucp.dinoex.sub.de [194.45.71.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FBF843D2F for ; Fri, 4 Feb 2005 06:12:14 +0000 (GMT) (envelope-from admin@citylink.dinoex.sub.org) Received: from uucp.dinoex.sub.de (uucp@uucp.dinoex.sub.de [194.45.71.2] (may be forged)) by uucp.dinoex.sub.de (8.13.3/8.13.3) with ESMTP id j146C9fC047393 for ; Fri, 4 Feb 2005 07:12:09 +0100 (CET) (envelope-from admin@citylink.dinoex.sub.org) Received: from citylink.dinoex.sub.org (uucp@localhost)j146C971047392 for FreeBSD-gnats-submit@freebsd.org; Fri, 4 Feb 2005 07:12:09 +0100 (CET) (envelope-from admin@citylink.dinoex.sub.org) Received: from gate.oper.dinoex.org (gate-e [192.168.98.2]) j145QLT3098877 for ; Fri, 4 Feb 2005 06:26:21 +0100 (CET) (envelope-from admin@edge.oper.dinoex.org) Received: from edge.oper.dinoex.org (gate-e [192.168.98.2]) by gate.oper.dinoex.org (8.13.1/8.13.1) with ESMTP id j145PcaG098845 for ; Fri, 4 Feb 2005 06:25:38 +0100 (CET) (envelope-from admin@edge.oper.dinoex.org) Received: from edge.oper.dinoex.org (edge-e.oper.dinoex.org [192.168.98.6]) by edge.oper.dinoex.org (8.13.1/8.13.1) with ESMTP id j145O29q098815 for ; Fri, 4 Feb 2005 06:24:03 +0100 (CET) (envelope-from admin@edge.oper.dinoex.org) Received: (from root@localhost) by edge.oper.dinoex.org (8.13.1/8.13.1/Submit) id j145O2A4098814; Fri, 4 Feb 2005 06:24:02 +0100 (CET) (envelope-from admin) Message-Id: <200502040524.j145O2A4098814@edge.oper.dinoex.org> Date: Fri, 4 Feb 2005 06:24:02 +0100 (CET) From: Peter Much To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: misc/77089: natd ignores -u with passive FTP X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Peter Much List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 06:20:18 -0000 >Number: 77089 >Category: misc >Synopsis: natd ignores -u with passive FTP >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Feb 04 06:20:16 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Peter Much >Release: FreeBSD 5.3-RELEASE-p4 i386 >Organization: none >Environment: System: FreeBSD edge.oper.dinoex.org 5.3-RELEASE-p4 FreeBSD 5.3-RELEASE-p4 #4: Sun Jan 30 21:53:17 CET 2005 root@edge.oper.dinoex.org:/usr/src/sys/i386/compile/E1R53V1 i386 ipfw, natd >Description: I run unregistered and registered ip adresses. All of them go thru natd on their way to the internet. On the registerd ip I run a ftp-server. This ftp-server cannot be accessed with passive ftp from a client on the internet. I use option -u for the natd. Natd does not change the registered ip adresses of the packets from my ftpserver, but it seems to change the port that server and client want to use for transfers. >How-To-Repeat: tun0 is my way out to the internet for unregistered ip-adresses. This is my defaultroute, and natd shall work there. The registered ip-adresses also follow the defaultroute to tun0, and then "ipfw fwd" rules bring them on the way to tun1. If these "fwd" rules happen to be BEFORE the natd rule, then passive ftp works. If they appear AFTER the natd rule, it does not work anymore. -- how I invoke natd: # ps ax | grep natd 393 ?? Ss 0:38.06 /sbin/natd -u -s -m -dynamic -n tun0 -- and from ipfw: # ipfw list 3000 03000 divert 8668 ip from any to any via tun0 -- now, when I branch off the passive ftp BEFORE rule 3000, it works ok: # ipfw add 1 allow log ip from 213.6.30.248 to # ipfw add 2999 fwd 10.1.0.120 log ip from to not 192.168.98.0/23 Feb 4 04:45:57 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 :21 in via tun1 Feb 4 04:45:57 edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP :21 213.6.30.248:1076 out via tun0 Feb 4 04:45:57 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1079 :63536 in via tun1 Feb 4 04:45:57 edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP :63536 213.6.30.248:1079 out via tun0 Feb 4 04:45:57 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 :21 in via tun1 Feb 4 04:45:58 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1079 :63536 in via tun1 Feb 4 04:45:58 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 :21 in via tun1 Feb 4 04:45:58 edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP :21 213.6.30.248:1076 out via tun0 Feb 4 04:45:58 edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP :63536 213.6.30.248:1079 out via tun0 Feb 4 04:45:58 edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP :21 213.6.30.248:1076 out via tun0 Feb 4 04:45:58 edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP :63536 213.6.30.248:1079 out via tun0 Feb 4 04:45:58 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 :21 in via tun1 Feb 4 04:45:58 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1079 :63536 in via tun1 Feb 4 04:45:58 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1079 :63536 in via tun1 Feb 4 04:45:58 edge kernel: ipfw: 2999 Forward to 10.1.0.120 TCP :63536 213.6.30.248:1079 out via tun0 Feb 4 04:45:58 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 :21 in via tun1 One can see here: the ftp-client 213.6.30.248 comes in thru tun1 and reaches my server, they agree on using port 63536 to do the actual transfer. This is also said in the logfile written by ftpd: Feb 4 04:45:57 oper ftpd[96264]: command: EPSV Feb 4 04:45:57 oper ftpd[96264]: <--- 229 Feb 4 04:45:57 oper ftpd[96264]: Entering Extended Passive Mode (|||63536|) Feb 4 04:45:57 oper ftpd[96264]: command: LIST Feb 4 04:45:57 oper ftpd[96264]: <--- 150 Feb 4 04:45:57 oper ftpd[96264]: Opening ASCII mode data connection for '/bin/ls'. Feb 4 04:45:57 oper ftpd[96264]: <--- 226 Feb 4 04:45:57 oper ftpd[96264]: Transfer complete. -- but when I branch it off AFTER rule 3000, it does not work anymore: # ipfw delete 2999 # ipfw add 3001 fwd 10.1.0.120 log ip from to not 192.168.98.0/23 Feb 4 04:46:40 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 :21 in via tun1 Feb 4 04:46:40 edge kernel: ipfw: 3001 Forward to 10.1.0.120 TCP :21 213.6.30.248:1076 out via tun0 Feb 4 04:46:40 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1080 :52711 in via tun1 Feb 4 04:46:40 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1076 :21 in via tun1 Feb 4 04:46:43 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1080 :52711 in via tun1 Feb 4 04:46:46 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1080 :52711 in via tun1 Feb 4 04:46:49 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1080 :52711 in via tun1 Feb 4 04:46:53 edge kernel: ipfw: 1 Accept TCP 213.6.30.248:1080 :52711 in via tun1 Feb 4 04:47:14 edge last message repeated 3 times Now, the client tries to connect to port 52711 to do the transfer, and does not get an answer there. And the ftpd log says that ftpd actually did want to use port 50334. Feb 4 04:46:40 oper ftpd[96264]: command: EPSV Feb 4 04:46:40 oper ftpd[96264]: <--- 229 Feb 4 04:46:40 oper ftpd[96264]: Entering Extended Passive Mode (|||50334|) >Fix: This can be workarounded by different arrangement of the rules in the ipfw. >Release-Note: >Audit-Trail: >Unformatted: