From owner-freebsd-questions@FreeBSD.ORG Fri Oct 3 10:08:46 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2543E1065698 for ; Fri, 3 Oct 2008 10:08:46 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id A98678FC16 for ; Fri, 3 Oct 2008 10:08:45 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-021-211.pools.arcor-ip.net [88.66.21.211]) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis) id 0MKwh2-1KlhOK3xE5-00076L; Fri, 03 Oct 2008 11:56:09 +0200 Received: (qmail 48763 invoked from network); 3 Oct 2008 09:56:08 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 3 Oct 2008 09:56:08 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 3 Oct 2008 11:56:07 +0200 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200810031156.07623.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/devl0yJBoQ+FKnMvrvz/lOsTb1jwGHOp7mbE iVpOIgwcvCdH/b6IZrLnt9AHW312BxI/xCsAR2EBIFBu+/oANs SXo0PH1lQHGuo3sd8+4Mg== Cc: jail@freebsd.org, questions@freebsd.org, Redd Vinylene , pf@freebsd.org Subject: Re: Jail, pf and ftpd: Connection refused X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 10:08:46 -0000 On Friday 03 October 2008 11:11:57 Redd Vinylene wrote: > Greetings ladies and gentlemen! > > Why does the below pf.conf (run from box1) give me > "getpeername(control_sock): Transport endpoint is not connected, > Socket error (Connection refused) - reconnecting" when trying to log > onto box3 via passive FTP? Active FTP gives me "425 Can't build data > connection: Connection refused." (box2 and box3 are jails running off > box1) See ftp-proxy(8). Note that active works with the ruleset you provided (due to the "pass out keep state"-rule), but there is obviously a firewall problem on the client preventing that. > - > > root@box1# cat /etc/pf.conf > > box1 = "80.203.2.2" > > box2 = "80.203.2.3" > > box3 = "{ 80.203.2.4 [...] 80.203.2.127 }" > > ext_if = "rl0" > > set block-policy return > > set skip on { lo0 } > > scrub in > > pass out keep state > > block in > > pass in on $ext_if inet proto tcp from any to any port { 22 } keep state > > pass in on $ext_if inet proto tcp from any to $box2 port { 25, 53, 80, > 110 } keep state > > pass in on $ext_if inet proto udp from any to $box2 port 53 keep state > > pass in on $ext_if inet proto tcp from any to $box3 port { 20, 21, 113 > } keep state > > pass in on $ext_if inet proto icmp from any to any keep state > > - > > root@box3# cat /etc/inetd.conf > > ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l > > - > > I hope I've been verbose enough. Thank you! -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News