Site Navigation

Date:      Fri, 22 Oct 2010 10:34:02 +0300
From:      Subscriber <ml-lists@agoris.net.ua>
To:        freebsd-pf@freebsd.org
Subject:   Re: Ftp + pf + Two ISP ---> no luck
Message-ID:  <163294774.20101022103402@agoris.net.ua>
In-Reply-To: <4CC0AD05.90607@tomjudge.com>
References:  <1942060152.20101021171739@agoris.net.ua> <4CC0AD05.90607@tomjudge.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Hello Tom,

Friday, October 22, 2010, 12:13:41 AM, you wrote:

> On 10/21/2010 09:17 AM, Subscriber wrote:
>> Hi All.
>>
>> First of all sorry for my bad English.
>>
>> I have some problem with two ISP and ftp service on FreeBSD box. A
>> few days I try to resolve the problem, but no luck. Googling does not
>> help me to. My brain soon blowup. So=E2=80=A6. pls help me.
>>
>> I want, that my ftp service was accessible from ISP1 and ISP2. I can
>> log in my ftp from outside, but when I try to download files, or
>> opening the folders with big number of files, my server is "freeze",
>> and download newer happened. Some times ftp-server "unfreez" for very
>> short time, at this moment:
>>

> You need something like:

> pass in on $ext_if1 inet proto tcp from any to $isp1_ip port 21 reply-to
> ( $ext_if1 $isp1_gw )
> pass in on $ext_if2 inet proto tcp from any to $isp2_ip port 21 reply-to
> ( $ext_if2 $isp2_gw )

> And the same for the passive port range you configure in the ftp daemon.

I change the rule as you say:

pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
    proto tcp from $ftp_allowed_ip to ($ext_if1) \
    port $ftp_serv flags S/SA keep state

Now I have:

pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
    proto tcp from $ftp_allowed_ip to $ext_ip1 \
    port $ftp_serv

But  it  is  not  help.  Situation  are  not change. I can't upload or
download files :(

> TJ

>> load averages:  9.24,  2.69,  1.18
>> 36 processes:  7 running, 29 sleeping
>> CPU:  0.0% user,  0.0% nice,  0.0% system, 99.9% interrupt,  0.1% idle
>> Mem: 24M Active, 350M Inact, 75M Wired, 14M Cache, 60M Buf, 30M Free
>> Swap: 512M Total, 32K Used, 512M Free
>>
>> In the ftp-server logs (vsftpd) I see next:
>>
>> =3D=3D=3D=3D=3D=3D=3D start cut of log =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client
>> "ip_was_replaced", "PASV"
>> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client
>> "ip_was_replaced", "227 Entering Passive Mode
>> (xxx,xxx,xxx,136,195,80)."
>> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client
>> "ip_was_replaced", "RETR
>> Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe"
>> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client
>> "ip_was_replaced", "150 Opening BINARY mode data connection for
>> Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe (1235728
>> bytes)."
>> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client
>> "ip_was_replaced", "426 Failure writing network stream."
>> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FAIL DOWNLOAD: Client
>> "ip_was_replaced",
>> "/pub/drivers/intel/Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.=
v15.2.exe",
>> 33580 bytes, 0.86Kbyte/sec
>> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP command: Client
>> "ip_was_replaced", "????ABOR"
>> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client
>> "ip_was_replaced", "225 No transfer to ABOR."
>>
>> and so on...
>> =3D=3D=3D=3D=3D=3D=3D end cut of log =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>
>> About my system:
>> # uname -rsm
>> FreeBSD 8.1-RELEASE i386
>>
>> Ftp servers in passive mode:
>> vsftpd-2.3.2 (Listen on port 21)
>> proftpd-1.3.3a (Listen on port 2121)
>>
>> pf - as firewall, kernel compiled with:
>> device          pf
>> device          pflog
>> options         ALTQ
>> options         ALTQ_CBQ
>> options         ALTQ_RED
>> options         ALTQ_RIO
>> options         ALTQ_HFSC
>> options         ALTQ_CDNR
>> options         ALTQ_PRIQ
>> options         ALTQ_NOPCC
>>
>> my pf.conf:
>> =3D=3D=3D=3D=3D=3D=3Dstart of pf.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> # macros
>> # internal interface
>> int_if =3D "fxp0"
>>
>> ext_if =3D "{ fxp1, fxp2 }"
>>
>> # interface to isp1 and isp2
>> ext_if1 =3D "fxp1"
>> ext_if2 =3D "fxp2"
>>
>> #gateway for isp1 and isp2
>> ext_gw1 =3D "xxx.xxx.xxx.129"
>> ext_gw2 =3D "xxx.xxx.xxx.3"
>>
>> # ftp ports
>> ftp_serv =3D "{ 21, 2121, 50000:50100 }"
>>
>> icmp_types =3D "{ echoreq }"
>> priv_nets =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
>> 10.0.0.0/8 }"
>> ftp_allowed_ip =3D "{ xxx.xxx.xxx.xxx }"
>>
>> # options
>> set block-policy drop
>> #set loginterface $ext_if
>>
>> # scrub
>> scrub in all
>> # nat
>> nat on $ext_if1 inet from $int_if:network to any -> ($ext_if1)
>> nat on $ext_if2 inet from $int_if:network to any -> ($ext_if2)
>>
>> # filter rules
>> block all
>> block in quick on $ext_if inet proto udp from any port 137:139 \
>>         to any port 137:139
>> block log on $ext_if all
>>
>> pass quick on lo0 all
>>
>> block in quick on $ext_if from $priv_nets to any
>> block out quick on $ext_if from any to $priv_nets
>>
>> pass out on $ext_if1 inet from $ext_if1 to any
>> pass out on $ext_if2 inet from $ext_if2 to any
>> pass out route-to ($ext_if2 $ext_gw2) inet from ($ext_if2) keep state
>> pass out route-to ($ext_if1 $ext_gw1) inet from ($ext_if1) keep state
>>
>> # icmp rules
>> pass in quick on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
>>     proto icmp from any to $ext_if1 icmp-type $icmp_types keep state
>> pass in quick on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \
>>     proto icmp from any to $ext_if2 icmp-type $icmp_types keep state
>> pass out quick inet proto icmp all keep state
>>
>> # for local network out
>> pass in on $int_if from $int_if:network to any keep state
>> pass out on $int_if from any to $int_if:network keep state
>>
>> #ftp service
>> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
>>     proto tcp from $ftp_allowed_ip to ($ext_if1) \
>>     port $ftp_serv flags S/SA keep state
>>
>> pass in on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \
>>     proto tcp from $ftp_allowed_ip to ($ext_if2) \
>>     port $ftp_serv flags S/SA keep state
>>
>> pass out quick on $ext_if proto tcp all modulate state flags S/SA
>> pass out quick on $ext_if proto { udp, icmp } all keep state
>>
>> =3D=3D=3D=3D=3D=3D=3D-end of pf.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>
>> If I replace rule
>> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
>>     proto tcp from $ftp_allowed_ip to ($ext_if1) \
>>     port $ftp_serv flags S/SA keep state
>>
>> to
>> pass in on $ext_if1 inet \
>>     proto tcp from $ftp_allowed_ip to ($ext_if1) \
>>     port $ftp_serv flags S/SA keep state
>>
>> then ftp-server accessible from ISP1, but from ISP2 - no.
>>
>>





--=20
Best regards,
 Subscriber                            mailto:ml-lists@agoris.net.ua

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?163294774.20101022103402>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact