From owner-freebsd-stable@FreeBSD.ORG Tue Jun 18 11:15:04 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A5A687DF for ; Tue, 18 Jun 2013 11:15:04 +0000 (UTC) (envelope-from rainer@ultra-secure.de) Received: from mail.ultra-secure.de (mail.ultra-secure.de [78.47.114.122]) by mx1.freebsd.org (Postfix) with ESMTP id 105281FFB for ; Tue, 18 Jun 2013 11:15:03 +0000 (UTC) Received: (qmail 46731 invoked by uid 89); 18 Jun 2013 11:11:44 -0000 Received: by simscan 1.4.0 ppid: 46726, pid: 46728, t: 0.0422s scanners: attach: 1.4.0 clamav: 0.97.3/m:54/d:17370 Received: from unknown (HELO suse3) (rainer@ultra-secure.de@212.71.117.1) by mail.ultra-secure.de with ESMTPA; 18 Jun 2013 11:11:44 -0000 Date: Tue, 18 Jun 2013 13:11:43 +0200 From: Rainer Duffner To: freebsd-stable@freebsd.org Subject: Problem with ftp-proxy Message-ID: <20130618131143.340dff14@suse3> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.10; x86_64-suse-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2013 11:15:04 -0000 Hi, I use ftp-proxy, together with the patch that starts multiple instances: http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/158171 I use it in a combination with pure-ftpd on the backend-server. on the proxy: 1434 ?? Ss 0:17.06 /usr/sbin/ftp-proxy -vv -b 127.0.0.2 -R 192.168.91.42 92144 ?? Ss 0:00.06 /usr/sbin/ftp-proxy -vv -b 127.0.0.1 -R 192.168.91.41 Originally, the proxy was on FreeBSD 8.3. A while ago, I updated it to FreeBSD 9.1. Now, the customer, who hadn't logged in for a while complained that while they could still login, it was not possible to view contents of directories or transfer files. I have the following pf.conf: ext_if="em0" int_if="em1" backend_ip="10.10.113.70" ftp_host_prod="192.168.91.41" ftp_host_test="192.168.91.42" proxyip_prod="127.0.0.1" proxyip_test="127.0.0.2" nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" nat on $ext_if from !($ext_if) -> ($ext_if:0) # didn't have the above line previously, but it does not make a difference rdr pass log proto tcp from any to EXT_IP_PROD port ftp -> $proxyip_prod port 8021 rdr pass log proto tcp from any to EXT_IP_TEST port ftp -> $proxyip_test port 8021 anchor "ftp-proxy/*" pass out log proto tcp from $backend_ip to $ftp_host_prod port 21 pass out log proto tcp from $backend_ip to $ftp_host_test port 21 I tried switching pure-ftpd on the backend-server to FreeBSD's ftpd, but that didn't change anything. There is both an additional firewall in front of the proxy and in front of the backend-server - but they don't log any denied traffic. Neither does pf. When I connect to the EXT_IP_PROD on the proxy itself and try to list files, it takes a while before a timeout occurs, and then, on the 2nd try, it actually works.