Date: Fri, 06 Apr 2007 17:04:05 +0200 From: Kyrre =?iso-8859-1?Q?Nyg=E5rd?= <kyrreny@broadpark.no> To: questions@freebsd.org Subject: Re: pf + ftpd: Socket error (Connection refused) Message-ID: <0JG300M5O0IVZMX0@osl1sminn1.broadpark.no> In-Reply-To: <0JG200M3CS2ORAC0@osl1sminn1.broadpark.no> References: <0JG200M3CS2ORAC0@osl1sminn1.broadpark.no>
next in thread | previous in thread | raw e-mail | index | archive | help
At 14:01 06.04.2007, Kyrre Nyg=E5rd wrote: >Hello! > >My FreeBSD server (HTTP, SMTP, PF, NAT etc.) is=20 >running its native ftpd along with pf and its=20 >ftp-proxy. But after a recent make world,=20 >outsiders could no longer connect to this ftpd: > > <--- 227 Entering Passive Mode (80,204,208,30,208,212) > ---- Connecting data socket to (80.204.208.30) port 53460 > **** Socket error (Connection refused) > >Nor with active mode: > > <--- 200 PORT command successful. > ---> LIST > >My server's external interface is 80.204.208.30=20 >(ADSL), and my internal interface is=20 >192.168.187.1, which connects to my workstation 192.168.187.2. > >All works well, except ftpd. My pf.conf was=20 >inspired by http://www.openbsd.org/faq/pf/example1.html > > ##### /etc/pf.conf > > ext_if=3D"rl0" > int_if=3D"ep0" > > set block-policy return > > set skip on { lo } > > scrub in > > nat on $ext_if from $int_if:network to any -> ($ext_if) > > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > rdr on $ext_if proto tcp from any to any=20 > port 53333:55555 -> 192.168.187.2 port 53333:55555 > > block in > > pass quick on $int_if > > pass out keep state > > anchor "ftp-proxy/*" > > antispoof quick for { lo $int_if } > > pass in on $ext_if inet proto tcp from any=20 > to ($ext_if) port { 21, 22, 25, 53, 80, 110, 113, 143 } keep state > pass in on $ext_if inet proto udp from any to ($ext_if) port 53 keep= state > > pass in inet proto icmp from any to any keep state > > pass in on $ext_if inet proto tcp from any=20 > to any port 53333:55555 keep state > >Any suggestions to improve or simplify my=20 >ruleset are warmly welcomed. Ffor instance, why=20 >does it need 3 instances of what seems like the=20 >same thing? nat-anchor "ftp-proxy/*", rdr-anchor=20 >"ftp-proxy/*" and then anchor "ftp-proxy/*"? > > ##### /etc/inetd.conf > > ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l > ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy > >Thanks a lot for your time. > >--Kyrre Problem solved, I just disabled ftp-proxy (guess=20 I didn't need it) and started forwarding just=20 53333 to 192.168.187.2 instead of the entire=20 range. 53333:55555 were my=20 net.inet.ip.portrange.hifirst and=20 net.inet.ip.portrange.hilast, so the way things=20 are now, ftpd has free access to 53334:55555, and it seems quite content. Thanks, Kyrre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0JG300M5O0IVZMX0>