From owner-freebsd-questions@FreeBSD.ORG Fri Apr 6 15:04:09 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4E90D16A401 for ; Fri, 6 Apr 2007 15:04:09 +0000 (UTC) (envelope-from kyrreny@broadpark.no) Received: from osl1smout1.broadpark.no (osl1smout1.broadpark.no [80.202.4.58]) by mx1.freebsd.org (Postfix) with ESMTP id 0FF8B13C4CB for ; Fri, 6 Apr 2007 15:04:08 +0000 (UTC) (envelope-from kyrreny@broadpark.no) Received: from osl1sminn1.broadpark.no ([80.202.4.59]) by osl1smout1.broadpark.no (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTP id <0JG300N5Y0IW2QF0@osl1smout1.broadpark.no> for questions@freebsd.org; Fri, 06 Apr 2007 17:04:08 +0200 (CEST) Received: from Suria.broadpark.no ([80.203.212.30]) by osl1sminn1.broadpark.no (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTP id <0JG300M5N0IVZMX0@osl1sminn1.broadpark.no> for questions@freebsd.org; Fri, 06 Apr 2007 17:04:08 +0200 (CEST) Date: Fri, 06 Apr 2007 17:04:05 +0200 From: Kyrre =?iso-8859-1?Q?Nyg=E5rd?= In-reply-to: <0JG200M3CS2ORAC0@osl1sminn1.broadpark.no> To: questions@freebsd.org Message-id: <0JG300M5O0IVZMX0@osl1sminn1.broadpark.no> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Content-type: text/plain; charset=iso-8859-1; format=flowed Content-transfer-encoding: quoted-printable References: <0JG200M3CS2ORAC0@osl1sminn1.broadpark.no> Cc: Subject: Re: pf + ftpd: Socket error (Connection refused) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Apr 2007 15:04:09 -0000 At 14:01 06.04.2007, Kyrre Nyg=E5rd wrote: >Hello! > >My FreeBSD server (HTTP, SMTP, PF, NAT etc.) is=20 >running its native ftpd along with pf and its=20 >ftp-proxy. But after a recent make world,=20 >outsiders could no longer connect to this ftpd: > > <--- 227 Entering Passive Mode (80,204,208,30,208,212) > ---- Connecting data socket to (80.204.208.30) port 53460 > **** Socket error (Connection refused) > >Nor with active mode: > > <--- 200 PORT command successful. > ---> LIST > >My server's external interface is 80.204.208.30=20 >(ADSL), and my internal interface is=20 >192.168.187.1, which connects to my workstation 192.168.187.2. > >All works well, except ftpd. My pf.conf was=20 >inspired by http://www.openbsd.org/faq/pf/example1.html > > ##### /etc/pf.conf > > ext_if=3D"rl0" > int_if=3D"ep0" > > set block-policy return > > set skip on { lo } > > scrub in > > nat on $ext_if from $int_if:network to any -> ($ext_if) > > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > rdr on $ext_if proto tcp from any to any=20 > port 53333:55555 -> 192.168.187.2 port 53333:55555 > > block in > > pass quick on $int_if > > pass out keep state > > anchor "ftp-proxy/*" > > antispoof quick for { lo $int_if } > > pass in on $ext_if inet proto tcp from any=20 > to ($ext_if) port { 21, 22, 25, 53, 80, 110, 113, 143 } keep state > pass in on $ext_if inet proto udp from any to ($ext_if) port 53 keep= state > > pass in inet proto icmp from any to any keep state > > pass in on $ext_if inet proto tcp from any=20 > to any port 53333:55555 keep state > >Any suggestions to improve or simplify my=20 >ruleset are warmly welcomed. Ffor instance, why=20 >does it need 3 instances of what seems like the=20 >same thing? nat-anchor "ftp-proxy/*", rdr-anchor=20 >"ftp-proxy/*" and then anchor "ftp-proxy/*"? > > ##### /etc/inetd.conf > > ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l > ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy > >Thanks a lot for your time. > >--Kyrre Problem solved, I just disabled ftp-proxy (guess=20 I didn't need it) and started forwarding just=20 53333 to 192.168.187.2 instead of the entire=20 range. 53333:55555 were my=20 net.inet.ip.portrange.hifirst and=20 net.inet.ip.portrange.hilast, so the way things=20 are now, ftpd has free access to 53334:55555, and it seems quite content. Thanks, Kyrre