From owner-freebsd-pf@FreeBSD.ORG Fri Oct 22 07:34:06 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 55052106564A for ; Fri, 22 Oct 2010 07:34:06 +0000 (UTC) (envelope-from ml-lists@agoris.net.ua) Received: from relay.netserv.kiev.ua (relay.netserv.kiev.ua [88.81.237.190]) by mx1.freebsd.org (Postfix) with ESMTP id BA31D8FC0C for ; Fri, 22 Oct 2010 07:34:05 +0000 (UTC) Received: from sa1.mcnet (sa1.mcnet [172.26.139.41]) by relay.netserv.kiev.ua (8.13.5/8.13.5) with ESMTP id o9M7WDhG031307 for ; Fri, 22 Oct 2010 10:32:14 +0300 Date: Fri, 22 Oct 2010 10:34:02 +0300 From: Subscriber X-Priority: 3 (Normal) Message-ID: <163294774.20101022103402@agoris.net.ua> To: freebsd-pf@freebsd.org In-Reply-To: <4CC0AD05.90607@tomjudge.com> References: <1942060152.20101021171739@agoris.net.ua> <4CC0AD05.90607@tomjudge.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Drweb-SpamState: no X-Drweb-SpamScore: -160 Subject: Re: Ftp + pf + Two ISP ---> no luck X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Subscriber List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Oct 2010 07:34:06 -0000 Hello Tom, Friday, October 22, 2010, 12:13:41 AM, you wrote: > On 10/21/2010 09:17 AM, Subscriber wrote: >> Hi All. >> >> First of all sorry for my bad English. >> >> I have some problem with two ISP and ftp service on FreeBSD box. A >> few days I try to resolve the problem, but no luck. Googling does not >> help me to. My brain soon blowup. So=E2=80=A6. pls help me. >> >> I want, that my ftp service was accessible from ISP1 and ISP2. I can >> log in my ftp from outside, but when I try to download files, or >> opening the folders with big number of files, my server is "freeze", >> and download newer happened. Some times ftp-server "unfreez" for very >> short time, at this moment: >> > You need something like: > pass in on $ext_if1 inet proto tcp from any to $isp1_ip port 21 reply-to > ( $ext_if1 $isp1_gw ) > pass in on $ext_if2 inet proto tcp from any to $isp2_ip port 21 reply-to > ( $ext_if2 $isp2_gw ) > And the same for the passive port range you configure in the ftp daemon. I change the rule as you say: pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \ proto tcp from $ftp_allowed_ip to ($ext_if1) \ port $ftp_serv flags S/SA keep state Now I have: pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \ proto tcp from $ftp_allowed_ip to $ext_ip1 \ port $ftp_serv But it is not help. Situation are not change. I can't upload or download files :( > TJ >> load averages: 9.24, 2.69, 1.18 >> 36 processes: 7 running, 29 sleeping >> CPU: 0.0% user, 0.0% nice, 0.0% system, 99.9% interrupt, 0.1% idle >> Mem: 24M Active, 350M Inact, 75M Wired, 14M Cache, 60M Buf, 30M Free >> Swap: 512M Total, 32K Used, 512M Free >> >> In the ftp-server logs (vsftpd) I see next: >> >> =3D=3D=3D=3D=3D=3D=3D start cut of log =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D >> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client >> "ip_was_replaced", "PASV" >> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client >> "ip_was_replaced", "227 Entering Passive Mode >> (xxx,xxx,xxx,136,195,80)." >> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client >> "ip_was_replaced", "RETR >> Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe" >> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client >> "ip_was_replaced", "150 Opening BINARY mode data connection for >> Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe (1235728 >> bytes)." >> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client >> "ip_was_replaced", "426 Failure writing network stream." >> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FAIL DOWNLOAD: Client >> "ip_was_replaced", >> "/pub/drivers/intel/Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.= v15.2.exe", >> 33580 bytes, 0.86Kbyte/sec >> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP command: Client >> "ip_was_replaced", "????ABOR" >> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client >> "ip_was_replaced", "225 No transfer to ABOR." >> >> and so on... >> =3D=3D=3D=3D=3D=3D=3D end cut of log =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D >> >> About my system: >> # uname -rsm >> FreeBSD 8.1-RELEASE i386 >> >> Ftp servers in passive mode: >> vsftpd-2.3.2 (Listen on port 21) >> proftpd-1.3.3a (Listen on port 2121) >> >> pf - as firewall, kernel compiled with: >> device pf >> device pflog >> options ALTQ >> options ALTQ_CBQ >> options ALTQ_RED >> options ALTQ_RIO >> options ALTQ_HFSC >> options ALTQ_CDNR >> options ALTQ_PRIQ >> options ALTQ_NOPCC >> >> my pf.conf: >> =3D=3D=3D=3D=3D=3D=3Dstart of pf.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D >> # macros >> # internal interface >> int_if =3D "fxp0" >> >> ext_if =3D "{ fxp1, fxp2 }" >> >> # interface to isp1 and isp2 >> ext_if1 =3D "fxp1" >> ext_if2 =3D "fxp2" >> >> #gateway for isp1 and isp2 >> ext_gw1 =3D "xxx.xxx.xxx.129" >> ext_gw2 =3D "xxx.xxx.xxx.3" >> >> # ftp ports >> ftp_serv =3D "{ 21, 2121, 50000:50100 }" >> >> icmp_types =3D "{ echoreq }" >> priv_nets =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ >> 10.0.0.0/8 }" >> ftp_allowed_ip =3D "{ xxx.xxx.xxx.xxx }" >> >> # options >> set block-policy drop >> #set loginterface $ext_if >> >> # scrub >> scrub in all >> # nat >> nat on $ext_if1 inet from $int_if:network to any -> ($ext_if1) >> nat on $ext_if2 inet from $int_if:network to any -> ($ext_if2) >> >> # filter rules >> block all >> block in quick on $ext_if inet proto udp from any port 137:139 \ >> to any port 137:139 >> block log on $ext_if all >> >> pass quick on lo0 all >> >> block in quick on $ext_if from $priv_nets to any >> block out quick on $ext_if from any to $priv_nets >> >> pass out on $ext_if1 inet from $ext_if1 to any >> pass out on $ext_if2 inet from $ext_if2 to any >> pass out route-to ($ext_if2 $ext_gw2) inet from ($ext_if2) keep state >> pass out route-to ($ext_if1 $ext_gw1) inet from ($ext_if1) keep state >> >> # icmp rules >> pass in quick on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \ >> proto icmp from any to $ext_if1 icmp-type $icmp_types keep state >> pass in quick on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \ >> proto icmp from any to $ext_if2 icmp-type $icmp_types keep state >> pass out quick inet proto icmp all keep state >> >> # for local network out >> pass in on $int_if from $int_if:network to any keep state >> pass out on $int_if from any to $int_if:network keep state >> >> #ftp service >> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \ >> proto tcp from $ftp_allowed_ip to ($ext_if1) \ >> port $ftp_serv flags S/SA keep state >> >> pass in on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \ >> proto tcp from $ftp_allowed_ip to ($ext_if2) \ >> port $ftp_serv flags S/SA keep state >> >> pass out quick on $ext_if proto tcp all modulate state flags S/SA >> pass out quick on $ext_if proto { udp, icmp } all keep state >> >> =3D=3D=3D=3D=3D=3D=3D-end of pf.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D >> >> If I replace rule >> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \ >> proto tcp from $ftp_allowed_ip to ($ext_if1) \ >> port $ftp_serv flags S/SA keep state >> >> to >> pass in on $ext_if1 inet \ >> proto tcp from $ftp_allowed_ip to ($ext_if1) \ >> port $ftp_serv flags S/SA keep state >> >> then ftp-server accessible from ISP1, but from ISP2 - no. >> >> --=20 Best regards, Subscriber mailto:ml-lists@agoris.net.ua