From owner-freebsd-pf@FreeBSD.ORG Mon Oct 25 16:35:36 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB0C8106566C for ; Mon, 25 Oct 2010 16:35:36 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from eu1sys200aog104.obsmtp.com (eu1sys200aog104.obsmtp.com [207.126.144.117]) by mx1.freebsd.org (Postfix) with SMTP id BFBF48FC0A for ; Mon, 25 Oct 2010 16:35:34 +0000 (UTC) Received: from source ([63.174.175.251]) by eu1sys200aob104.postini.com ([207.126.147.11]) with SMTP ID DSNKTMWx1HlnHn/Gc3SDR6Ex1pyr4vcf92hX@postini.com; Mon, 25 Oct 2010 16:35:35 UTC Received: from [172.17.10.53] (unknown [172.17.10.53]) by bbbx3.usdmm.com (Postfix) with ESMTP id A3CC5FD022; Mon, 25 Oct 2010 16:35:31 +0000 (UTC) Message-ID: <4CC5B1BA.1030903@tomjudge.com> Date: Mon, 25 Oct 2010 11:35:06 -0500 From: Tom Judge User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.11) Gecko/20101006 Lightning/1.0b2 Thunderbird/3.1.5 MIME-Version: 1.0 To: Subscriber References: <1942060152.20101021171739@agoris.net.ua> <4CC0AD05.90607@tomjudge.com> <163294774.20101022103402@agoris.net.ua> In-Reply-To: <163294774.20101022103402@agoris.net.ua> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: Ftp + pf + Two ISP ---> no luck X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Oct 2010 16:35:37 -0000 On 10/22/2010 02:34 AM, Subscriber wrote: > Hello Tom, Take a look at ftpsesame in ports, this will help you and simplify your firewall configuration. TJ > Friday, October 22, 2010, 12:13:41 AM, you wrote: > >> On 10/21/2010 09:17 AM, Subscriber wrote: >>> Hi All. >>> >>> First of all sorry for my bad English. >>> >>> I have some problem with two ISP and ftp service on FreeBSD box. A >>> few days I try to resolve the problem, but no luck. Googling does not >>> help me to. My brain soon blowup. So…. pls help me. >>> >>> I want, that my ftp service was accessible from ISP1 and ISP2. I can >>> log in my ftp from outside, but when I try to download files, or >>> opening the folders with big number of files, my server is "freeze", >>> and download newer happened. Some times ftp-server "unfreez" for very >>> short time, at this moment: >>> >> You need something like: >> pass in on $ext_if1 inet proto tcp from any to $isp1_ip port 21 reply-to >> ( $ext_if1 $isp1_gw ) >> pass in on $ext_if2 inet proto tcp from any to $isp2_ip port 21 reply-to >> ( $ext_if2 $isp2_gw ) >> And the same for the passive port range you configure in the ftp daemon. > I change the rule as you say: > > pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \ > proto tcp from $ftp_allowed_ip to ($ext_if1) \ > port $ftp_serv flags S/SA keep state > > Now I have: > > pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \ > proto tcp from $ftp_allowed_ip to $ext_ip1 \ > port $ftp_serv > > But it is not help. Situation are not change. I can't upload or > download files :( > >> TJ >>> load averages: 9.24, 2.69, 1.18 >>> 36 processes: 7 running, 29 sleeping >>> CPU: 0.0% user, 0.0% nice, 0.0% system, 99.9% interrupt, 0.1% idle >>> Mem: 24M Active, 350M Inact, 75M Wired, 14M Cache, 60M Buf, 30M Free >>> Swap: 512M Total, 32K Used, 512M Free >>> >>> In the ftp-server logs (vsftpd) I see next: >>> >>> ======= start cut of log ==================== >>> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client >>> "ip_was_replaced", "PASV" >>> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client >>> "ip_was_replaced", "227 Entering Passive Mode >>> (xxx,xxx,xxx,136,195,80)." >>> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client >>> "ip_was_replaced", "RETR >>> Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe" >>> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client >>> "ip_was_replaced", "150 Opening BINARY mode data connection for >>> Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe (1235728 >>> bytes)." >>> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client >>> "ip_was_replaced", "426 Failure writing network stream." >>> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FAIL DOWNLOAD: Client >>> "ip_was_replaced", >>> "/pub/drivers/intel/Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe", >>> 33580 bytes, 0.86Kbyte/sec >>> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP command: Client >>> "ip_was_replaced", "????ABOR" >>> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client >>> "ip_was_replaced", "225 No transfer to ABOR." >>> >>> and so on... >>> ======= end cut of log ==================== >>> >>> About my system: >>> # uname -rsm >>> FreeBSD 8.1-RELEASE i386 >>> >>> Ftp servers in passive mode: >>> vsftpd-2.3.2 (Listen on port 21) >>> proftpd-1.3.3a (Listen on port 2121) >>> >>> pf - as firewall, kernel compiled with: >>> device pf >>> device pflog >>> options ALTQ >>> options ALTQ_CBQ >>> options ALTQ_RED >>> options ALTQ_RIO >>> options ALTQ_HFSC >>> options ALTQ_CDNR >>> options ALTQ_PRIQ >>> options ALTQ_NOPCC >>> >>> my pf.conf: >>> =======start of pf.conf ==================== >>> # macros >>> # internal interface >>> int_if = "fxp0" >>> >>> ext_if = "{ fxp1, fxp2 }" >>> >>> # interface to isp1 and isp2 >>> ext_if1 = "fxp1" >>> ext_if2 = "fxp2" >>> >>> #gateway for isp1 and isp2 >>> ext_gw1 = "xxx.xxx.xxx.129" >>> ext_gw2 = "xxx.xxx.xxx.3" >>> >>> # ftp ports >>> ftp_serv = "{ 21, 2121, 50000:50100 }" >>> >>> icmp_types = "{ echoreq }" >>> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ >>> 10.0.0.0/8 }" >>> ftp_allowed_ip = "{ xxx.xxx.xxx.xxx }" >>> >>> # options >>> set block-policy drop >>> #set loginterface $ext_if >>> >>> # scrub >>> scrub in all >>> # nat >>> nat on $ext_if1 inet from $int_if:network to any -> ($ext_if1) >>> nat on $ext_if2 inet from $int_if:network to any -> ($ext_if2) >>> >>> # filter rules >>> block all >>> block in quick on $ext_if inet proto udp from any port 137:139 \ >>> to any port 137:139 >>> block log on $ext_if all >>> >>> pass quick on lo0 all >>> >>> block in quick on $ext_if from $priv_nets to any >>> block out quick on $ext_if from any to $priv_nets >>> >>> pass out on $ext_if1 inet from $ext_if1 to any >>> pass out on $ext_if2 inet from $ext_if2 to any >>> pass out route-to ($ext_if2 $ext_gw2) inet from ($ext_if2) keep state >>> pass out route-to ($ext_if1 $ext_gw1) inet from ($ext_if1) keep state >>> >>> # icmp rules >>> pass in quick on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \ >>> proto icmp from any to $ext_if1 icmp-type $icmp_types keep state >>> pass in quick on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \ >>> proto icmp from any to $ext_if2 icmp-type $icmp_types keep state >>> pass out quick inet proto icmp all keep state >>> >>> # for local network out >>> pass in on $int_if from $int_if:network to any keep state >>> pass out on $int_if from any to $int_if:network keep state >>> >>> #ftp service >>> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \ >>> proto tcp from $ftp_allowed_ip to ($ext_if1) \ >>> port $ftp_serv flags S/SA keep state >>> >>> pass in on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \ >>> proto tcp from $ftp_allowed_ip to ($ext_if2) \ >>> port $ftp_serv flags S/SA keep state >>> >>> pass out quick on $ext_if proto tcp all modulate state flags S/SA >>> pass out quick on $ext_if proto { udp, icmp } all keep state >>> >>> =======-end of pf.conf ==================== >>> >>> If I replace rule >>> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \ >>> proto tcp from $ftp_allowed_ip to ($ext_if1) \ >>> port $ftp_serv flags S/SA keep state >>> >>> to >>> pass in on $ext_if1 inet \ >>> proto tcp from $ftp_allowed_ip to ($ext_if1) \ >>> port $ftp_serv flags S/SA keep state >>> >>> then ftp-server accessible from ISP1, but from ISP2 - no. >>> >>> > > > > -- TJU13-ARIN