Date: Sun, 29 Jul 2007 23:40:45 +0200 (CEST) From: "Reinhold" <freebsd@violetlan.net> To: freebsd-questions@freebsd.org Subject: fetch and ftp problems trough pf Message-ID: <55960.212.99.206.5.1185745245.squirrel@www.violetlan.net>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hi I'm have a bit of a fetch and ftp problem when it comes to the hosts behind my freebsd 6.2 stable pf firewall. I can use fetch and ftp perfectly fine from the firewall but once I want to use them on one of the hosts behind it I get the following errors. Trying 204.152.184.73... Connected to ftp.freebsd.org. 220 Welcome to freebsd.isc.org. Name (ftp.freebsd.org:hamba): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||5654|) 425 Security: Bad IP connecting. ftp> exit 221 Goodbye. # ftp ftp.de.freebsd.org Connected to ftp.plusline.net. 220- 220-PUBLIC FTP MIRROR 220- 220-Plus.Line AG 220-http://www.plusline.net 220-Frankfurt a. M. 220-Germany 220- 220 Name (ftp.de.freebsd.org:hamba): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||35507|) 200 EPRT command successful. Consider using EPSV. 150 Here comes the directory listing. ftp: poll timeout waiting before accept: Operation timed out 426 Failure writing network stream. 225 No transfer to ABOR. ftp> exit 221 Goodbye. I have multiple IPs on my external if so I'm using pftpx as the ftp proxy and I followed the man page and added this to my pf.conf nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr pass on $int_if proto tcp from 10.0.0.0/8 to any port 21 -> 127.0.0.1 port 8021 anchor "pftpx/*" I also added in the rc.conf file pftpx_enable="YES" pftpx_flags="-p 80.81.242.5" Here is the debug outout I got from pftpx Jul 25 22:50:13 amanzi pftpx[92813]: #1 accepted connection from 10.0.100.150 Jul 25 22:50:13 amanzi pftpx[92813]: #1 server: 220 Welcome to freebsd.isc.org.^M Jul 25 22:50:15 amanzi pftpx[92813]: #1 client: USER anonymous^M Jul 25 22:50:15 amanzi pftpx[92813]: #1 server: 331 Please specify the password.^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 client: PASS ^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: 230 Login successful.^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 client: SYST^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: 215 UNIX Type: L8^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 client: FEAT^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: 211-Features:^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: EPRT^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: EPSV^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: MDTM^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: PASV^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: REST STREAM^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: SIZE^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: TVFS^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: 211 End^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 client: PWD^M Jul 25 22:50:16 amanzi pftpx[92813]: #1 server: 257 "/"^M Jul 25 22:50:17 amanzi pftpx[92813]: #1 client: EPSV^M Jul 25 22:50:17 amanzi pftpx[92813]: #1 server: 229 Entering Extended Passive Mode (|||30018|)^M Jul 25 22:50:17 amanzi pftpx[92813]: #1 proxy: 229 Entering Extended Passive Mode (|||59677|)^M Jul 25 22:50:18 amanzi pftpx[92813]: #1 client: LIST^M Jul 25 22:50:18 amanzi pftpx[92813]: #1 server: 425 Security: Bad IP connecting.^M I have also 2 internal IPs on each host behind the firewall. I have attached my pf.conf file, everything works perfectly without problems except for ftp, I also have to mention that its not all the ftp sites but only some of them, and when I fetch from http it also works. Thanks for the time Reinhold [-- Attachment #2 --] # $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $ # # pf.conf for my firewall # # The default gateway doing NAT for my home network, using queues for extended ackpri. # # Mostly configured from http://www.benzedrine.cx/pf.conf # # The external interface is fxp0, with a single routable address 192.168.1.16. # The internal interface is rl0, address 192.168.100.11 in network 192.168.0.0/16. # =========================================================================== # # Macros, Lists, Options and Tables # # =========================================================================== # # macros # ext_if = "rl0" int_if = "rl1" unfiltered = "{ lo0, enc0 }" unroutable = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }" #unroutable = "{ 127.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32 }" # All my IPs are from 80.81.242.5 to 80.81.242.14 # host amanzi # used for ns1.violetlan.net and firewall # The external IP = 80.81.242.5 # The internal IP = 10.0.100.1 # amanzi_int = "10.0.100.1" amanzi_ext = "80.81.242.5" # host scurvy # used for DNS2 and email # # IPs for ns2.violetlan.net scurvy_int = "10.0.100.110" scurvy_ext = "80.81.242.6" # IPs address for mail.violetlan.net scurvy_int1 = "10.0.100.111" scurvy_ext1 = "80.81.242.7" # host mbali # # IP address for www.violetlan.net mbali_int = "10.0.100.150" mbali_ext = "80.81.242.8" # IPs address for gallery.violetlan.net mbali_int1 = "10.0.100.151" mbali_ext1 = "80.81.242.9" proxy = "80.81.242.5" # ports # all_services = "{ ssh, smtp, smtps, domain, auth, http, https, imap, imaps, pop3, pop3s }" local_ports = "{ ssh, domain, auth }" http_ports = "{ http, https }" mail_ports = "{ smtp, smtps, imap, imaps, pop3, pop3s }" domain_ports = "{ domain }" # allowed incoming ICMP types # icmp_types = "{ echoreq, timex, paramprob, unreach code needfrag }" # options # set block-policy drop set optimization aggressive set loginterface $ext_if set limit { states 100000, src-nodes 100000, frags 60000 } set fingerprints "/etc/pf.os" # tables # table <bruteforce> persist table <spamd-white> persist table <my_spamd_white> persist file "/usr/local/etc/spamd/my_spamd_white" # normalization # scrub in on $ext_if all fragment reassemble scrub out on $ext_if all random-id fragment reassemble # =========================================================================== # # Queues, NAT and ftp-proxy # # =========================================================================== # # queues # # - ssh has maximum priority, so the host is always managable. # - dns has high priority. # - outgoing tcp connections have priority over incoming ones. # - outgoing http has priority over other outgoing tcp # (the mailing list generates bursts of outgoing smtp) # # effect: even while the web server is under heavy load and the # mailing list is delivering mails, I can still use www/icb/irc. # altq on rl0 priq bandwidth 100Mb queue { q_max, q_hig, q_def, q_low } queue q_max priority 7 queue q_hig priority 5 queue q_def priority 3 queue q_low priority 1 priq(default) # translations # no nat on $unfiltered from any to any no rdr on $unfiltered from any to any # nat private network to single routable address # nat on $ext_if inet from 10.0.0.0/8 to any -> ($ext_if) # ftp proxy nat-anchor "pftpx/*" # =========================================================================== # # Redirect Rules # # =========================================================================== # ############# # amanzi # ############# # ftp proxy rdr-anchor "pftpx/*" rdr pass on $int_if proto tcp from 10.0.0.0/8 to $proxy port 21 -> 127.0.0.1 port 8021 #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 ############# # scurvy # ############# # DNS2 # rdr on $ext_if inet proto { tcp, udp } from any to $scurvy_ext port $domain_ports -> $scurvy_int # obspamd # rdr pass inet proto tcp from <my_spamd_white> to $scurvy_ext1 port $mail_ports -> $scurvy_int1 rdr pass inet proto tcp from <spamd-white> to $scurvy_ext1 port $mail_ports -> $scurvy_int1 #rdr on $ext_if inet proto tcp from <my_spamd_white> to $scurvy_ext1 port $mail_ports -> $scurvy_int1 #rdr on $ext_if inet proto tcp from <spamd-white> to $scurvy_ext1 port $mail_ports -> $scurvy_int1 rdr pass inet proto tcp from any to $scurvy_ext1 port { smtp, smtps } -> 127.0.0.1 port spamd # ssh # rdr on $ext_if inet proto tcp from any to $scurvy_ext port ssh -> $scurvy_int ############# # mbali # ############# # http redirection # rdr on $ext_if inet proto tcp from any to $mbali_ext port $http_ports -> $mbali_int rdr on $ext_if inet proto tcp from any to $mbali_ext1 port $http_ports -> $mbali_int1 # mail # #rdr on $ext_if inet proto tcp from any to $mbali_ext port $mail_ports -> $mbali_int # ssh # rdr on $ext_if inet proto tcp from any to $mbali_ext port ssh -> $mbali_int # =========================================================================== # # filter rules (default block/pass) # # =========================================================================== # # pass on unfiltered interfaces # pass quick on $unfiltered pass quick on $int_if # silently drop TCP non-SYN packets, the remaining ruleset only deals with # TCP SYNs, which always create state when passed. the ruleset basically # deals with 'connections', not packets, beyond this point. # block return-rst quick proto tcp all flags /S block return-rst quick proto tcp all flags A/A # block and log everything by default # block log block return-rst log inet proto tcp block return-icmp log inet proto udp # =========================================================================== # # external interface (all external IPv4 traffic) # # =========================================================================== # # silently drop broadcasts (ADSL noise) # block in quick on $ext_if inet from any to 255.255.255.255 # bruteforce # block quick from <bruteforce> to any # block some known-bad ports without logging # block return-rst in quick on $ext_if proto tcp from any to any port { 111, 445, 1080, 6000, 6667 } block return-icmp in quick on $ext_if proto udp from any to any port { 137, 138, 139, 1434 } # block and log incoming packets from reserved address space and invalid # addresses, they are either spoofed or misconfigured, we can't reply to # them anyway (hence, no return-rst). # block in log quick on $ext_if inet from $unroutable to any # block and log outgoing packets that don't have my address as source, they are # either spoofed or something is misconfigured (NAT disabled, for instance), # we want to be nice and not send out garbage. # block out log quick on $ext_if inet from !($ext_if) to any # =========================================================================== # # TCP UDP in/out # # =========================================================================== # ############# # amanzi # ############# pass out on $ext_if inet proto udp from any to any keep state queue (q_def) pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state queue (q_def, q_max) pass out on $ext_if inet proto tcp from ($ext_if) to any port $http_ports flags S/SA keep state queue (q_hig, q_max) ############# # scurvy # ############# # mail server # pass in log on $ext_if proto tcp from any to any port $mail_ports flags S/SA synproxy state queue (q_def, q_max) pass out quick log on $ext_if proto tcp from $scurvy_ext1 to any port { smtp, smtps } flags S/SA synproxy state queue (q_def, q_max) ############# # mbali # ############# # webserver # pass in on $ext_if inet proto tcp from any to any port $http_ports flags S/SA keep state queue (q_low, q_max) #pass in log on $ext_if inet proto tcp from any to any port $http_ports flags S/SA keep state (max 1024, max-src-conn 100, max-src-conn-rate 15/5, tcp.first 10, tcp.opening 10, overload <bruteforce> flush global) queue (q_low, q_max) ############# # all hosts # ############# # ftp proxy anchor "pftpx/*" pass out log proto tcp from $proxy to any port 21 flags S/SA keep state # ICMP # pass out inet proto icmp all keep state queue (q_low) pass in inet proto icmp all icmp-type $icmp_types keep state queue (q_max) # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state queue (q_low) # DNS # pass out log on $ext_if inet proto { tcp, udp } from any to any port domain keep state queue (q_hig) #pass in log on $ext_if inet proto {tcp, udp } from any to ($ext_if) port domain keep state (max 512) queue (q_hig) pass in log on $ext_if inet proto {tcp, udp } from any to any port domain keep state (max 512) queue (q_hig) # ssh pass log inet proto tcp from any to any port ssh flags S/SA keep state (max 1024, max-src-conn 15, max-src-conn-rate 5/3, tcp.first 10, tcp.opening 10, overload <bruteforce> flush global) queue (q_hig, q_max) # =========================================================================== # # antispoof # # =========================================================================== # antispoof for $ext_if antispoof for $int_if antispoof for $unfiltered
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55960.212.99.206.5.1185745245.squirrel>