From owner-freebsd-questions@FreeBSD.ORG Fri Apr 6 12:01:38 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 11FB816A408 for ; Fri, 6 Apr 2007 12:01:38 +0000 (UTC) (envelope-from kyrreny@broadpark.no) Received: from osl1smout1.broadpark.no (osl1smout1.broadpark.no [80.202.4.58]) by mx1.freebsd.org (Postfix) with ESMTP id C967313C455 for ; Fri, 6 Apr 2007 12:01:37 +0000 (UTC) (envelope-from kyrreny@broadpark.no) Received: from osl1sminn1.broadpark.no ([80.202.4.59]) by osl1smout1.broadpark.no (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTP id <0JG200NOLS2O2R00@osl1smout1.broadpark.no> for questions@freebsd.org; Fri, 06 Apr 2007 14:01:36 +0200 (CEST) Received: from Suria.broadpark.no ([80.203.212.30]) by osl1sminn1.broadpark.no (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTP id <0JG200M3BS2ORAC0@osl1sminn1.broadpark.no> for questions@freebsd.org; Fri, 06 Apr 2007 14:01:36 +0200 (CEST) Date: Fri, 06 Apr 2007 14:01:36 +0200 From: Kyrre =?iso-8859-1?Q?Nyg=E5rd?= To: questions@freebsd.org Message-id: <0JG200M3CS2ORAC0@osl1sminn1.broadpark.no> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Cc: Subject: pf + ftpd: Socket error (Connection refused) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Apr 2007 12:01:38 -0000 Hello! My FreeBSD server (HTTP, SMTP, PF, NAT etc.) is running its native ftpd along with pf and its ftp-proxy. But after a recent make world, outsiders could no longer connect to this ftpd: <--- 227 Entering Passive Mode (80,204,208,30,208,212) ---- Connecting data socket to (80.204.208.30) port 53460 **** Socket error (Connection refused) Nor with active mode: <--- 200 PORT command successful. ---> LIST My server's external interface is 80.204.208.30 (ADSL), and my internal interface is 192.168.187.1, which connects to my workstation 192.168.187.2. All works well, except ftpd. My pf.conf was inspired by http://www.openbsd.org/faq/pf/example1.html ##### /etc/pf.conf ext_if="rl0" int_if="ep0" set block-policy return set skip on { lo } scrub in nat on $ext_if from $int_if:network to any -> ($ext_if) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr on $ext_if proto tcp from any to any port 53333:55555 -> 192.168.187.2 port 53333:55555 block in pass quick on $int_if pass out keep state anchor "ftp-proxy/*" antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to ($ext_if) port { 21, 22, 25, 53, 80, 110, 113, 143 } keep state pass in on $ext_if inet proto udp from any to ($ext_if) port 53 keep state pass in inet proto icmp from any to any keep state pass in on $ext_if inet proto tcp from any to any port 53333:55555 keep state Any suggestions to improve or simplify my ruleset are warmly welcomed. Ffor instance, why does it need 3 instances of what seems like the same thing? nat-anchor "ftp-proxy/*", rdr-anchor "ftp-proxy/*" and then anchor "ftp-proxy/*"? ##### /etc/inetd.conf ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy Thanks a lot for your time. --Kyrre