Date: Mon, 22 Nov 2004 20:45:53 +0100 From: "J. Martin Petersen" <jmp@alvorlig.dk> To: freebsd-pf@freebsd.org Subject: Problems with active FTP and ftp-proxy Message-ID: <1101152753.41a241f113332@mail.aub.dk>
next in thread | raw e-mail | index | archive | help
Hi We've recently set up a FreeBSD 5.3 with pf as NAT-gateway and firewall for our local network with 800-1000 users. Most things, including prioritizing traffic, works just fine, but I can't get active ftp from internal clients to work. I've added the rules noted at http://www.openbsd.org/faq/pf/ftp.html, but it doesn't really work. I can see from the debug log output from ftp-proxy, that it proxies the ftp connection, and I can see from netstat, that it actually listens on the port, it claims to listen on. I can also see with tcpdump, that the ftp-server also responds to that port. But ftp-proxy still times out a bit later with the error "cannot connect data channel (Operation timed out)". Here are snippets of the relevant logs and configuration files: --tcpdump pflog0-- rule 153/0(match): pass in on em0: IP 10.1.4.50.2767 > 127.0.0.1.8021: S 2138343662:2138343662(0) win 65535 <mss 1460,nop,nop,sackOK> rule 155/0(match): pass in on fxp0: IP 195.41.131.10.21 > 195.24.1.195.53620: S 3860699189:3860699189(0) ack 3533547730 win 5792 <mss 1380,sackOK,timestamp[|tcp]> rule 155/0(match): pass in on fxp0: IP 195.41.131.10.20 > 195.24.1.195.51169: S 3863458569:3863458569(0) win 5840 <mss 1380,sackOK,timestamp[|tcp]> --the relevant rules-- @153 pass log on em0 inet from 10.1.4.50 to any modulate state @155 pass in log on fxp0 inet proto tcp from any to 195.24.1.195 user = 62 keep state --netstat -an-- [netstat -an] tcp4 0 0 195.24.1.195.57875 10.1.4.50.5001 SYN_SENT tcp4 185 0 195.24.1.195.51169 195.41.131.10.20 CLOSE_WAIT tcp4 54 0 195.24.1.195.53620 195.41.131.10.21 ESTABLISHED --log output from ftp-proxy-- Nov 22 20:00:40 fw ftp-proxy[56849]: accepted connection from 10.1.4.50:2767 to 195.41.131.10:21 Nov 22 20:00:40 fw ftp-proxy[56849]: local socket is 195.24.1.195:53620 Nov 22 20:00:40 fw ftp-proxy[56849]: server: 220 ProFTPD 1.2.9rc3 Server (linux1.unoeuro.com) [linux1.unoeuro.com]^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: USER rxd.dk^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 331 Password required for rxd.dk.^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: PASS XXXX Nov 22 20:00:40 fw ftp-proxy[56849]: server: 230 User rxd.dk logged in.^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: SYST^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 215 UNIX Type: L8^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: FEAT^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 211-Features:^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: MDTM^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: REST STREAM^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: SIZE^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 211 End^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: PWD^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 257 "/" is current directory.^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: TYPE A^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 200 Type set to A^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: PORT 10,1,4,50,19,137^M Nov 22 20:00:40 fw ftp-proxy[56849]: Got a PORT command Nov 22 20:00:40 fw ftp-proxy[56849]: client wants us to use 10.1.4.50:5001 Nov 22 20:00:40 fw ftp-proxy[56849]: we want server to use 195.24.1.195:51169 Nov 22 20:00:40 fw ftp-proxy[56849]: to server (modified): PORT 195,24,1,195,199,225^M Nov 22 20:00:40 fw ftp-proxy[56849]: server: 200 PORT command successful^M Nov 22 20:00:40 fw ftp-proxy[56849]: client: LIST^M Nov 22 20:00:40 fw ftp-proxy[56849]: server listen socket ready Nov 22 20:01:55 fw ftp-proxy[56849]: cannot connect data channel (Operation timed out) --inetd.conf-- [inetd.conf] ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -V -D 2 -n -a 195.24.1.195 --excerpts from pf.conf-- ext_if0="fxp0" ext_gw0="195.24.1.193" int_if="em0" loo_if="lo0" scrub all nat on $ext_if0 from $int_if:network to any -> ($ext_if0) nat on $ext_if1 from $int_if:network to any -> ($ext_if1) rdr on $ext_if0 proto $www_proto from any to any port $www_ports -> $www rdr on $ext_if0 proto $dns_proto from any to any port $dns_ports -> $dns rdr on $int_if proto tcp from "10.1.4.50" to any port ftp -> $loo_if port ftp-proxy antispoof for $int_if inet antispoof for $ext_if0 inet pass on $int_if all pass quick on $loo_if all pass log on $int_if from "10.1.4.50" modulate state pass out on $ext_if0 user proxy pass in log on $ext_if0 inet proto tcp from any to $ext_if0 user proxy keep state Passive ftp works just fine. Both with and without the "-n" flag for ftp-proxy. "10.1.4.50" is the test machine I'm testing from, and it doesn't work either if I substitute it for "any". Do you any suggestions? /Martin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1101152753.41a241f113332>