Site Navigation

Date:      Tue, 9 Oct 2012 17:16:52 -0700 (PDT)
From:      Duckbreath <duckbreath@yahoo.com>
To:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   P w/ ftp-proxy, using both active/passive FTP
Message-ID:  <1349828212.549.YahooMailNeo@web122903.mail.ne1.yahoo.com>

---

index | next in thread | raw e-mail

---

My goal is to get my FTP server working for both passive and active type FTP connections with the following 
conditions:
1) Running PF firewall on a FreeBSD machine, which is also the FTP machine.
2) Without opening up all ports > 1024 (or any upper-swath of ports), except where this occurs dynamically.

I have chosen to take an ftp-proxy based solution.  I'm also limited to 1 box here, so ftp-proxy is running on the 
same machine as the target FTP server, although I understand it is typically used in a gateway/forwarding situation.

After a lot of playing around with my firewall rules, I've ended up in a mutually exclusive situation.

With this line:
rdr pass on $std_int proto tcp from any to $std_int port 21 -> 127.0.0.1 port 8021

PASSIVE FTP WORKS!! Yay!!!!  Woooo *cheering in background*.
But.... Active fails.

If I comment it out, in thus fashion:
#rdr pass on $std_int proto tcp from any to $std_int port 21 -> 127.0.0.1 port 8021

ACTIVE FTP WORKS!! Yay!!!! Wooooo *cheering in background*.
But..... Passive fails.

I would also like to mention that just commenting it out and restarting the firewall is all I did.  ftp-proxy server 
process is still running.  Also both tests were from the same host, using the same ftp program, with only 
active/passive settings on ftp client used appropriately for each respective test; all other settings identical.


So I took a look at the handbook, which claimed I need to understand active/passive better (although I thought 
I already did... funny how that works?) - and the handbook linked the site http://slacksite.com/other/ftp.html

Here I got this awesome description from slacksite:
"In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, 
port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. 
The server will then connect back to the client's specified data port from its local data port, which is port 20."

So my first assumption was, "Either I can't connect to the client's local port, or my firewall isn't letting anything 
out on port 20."  I look at the rules... hmm, don't think so.  I just open up everything and try anyway,
try ftp-proxy with & without "-r" option, and no dice.  Same situation for both tests.  Nothing changes.

Examples of what I put in:
pass in quick on $std_int proto tcp from any to any
pass out quick on $std_int proto tcp from any to any
below rdr directive (which is required by pf.conf ordering).


Then I have a Face Palm.... exactly how did any of that have to do with it working when the rule was commented out?  Absolutely nothing, that's what!  I feel like such an idiot!!

Ok.. so what does that rule mean?  Let's revisit the rule:
rdr pass on $std_int proto tcp from any to $std_int port 21 -> 127.0.0.1 port 8021

So all traffic on port 21, either in or out, goes to localhost 8021.  Hmmmm.  The rule failed when I tried to 
specify 'in' or 'out' on the rdr directive.  I don't think pf works rdr that way.

My only logical conclusion is FTP has become stubborn and is using Active mode on port 21, and not 20, for whatever 
reason.  The connection starts to succeed, but then the ACK packet from the client of course gets redirected to 8021, 
and the active connection being attempted from 21 misses it, resulting in a "half-open" connection, thus causing the 
FTP data channel to fail.  It is the only possible explanation I can come up with, yet that is not in 
accordance to know what I know about FTP behavior (i.e., according to slacksite's description).

Somewhere between convention and the IETF, I think I got lost.

Does anyone know how to get passive + active both working with the stated goals of using PF w/ ftp-proxy?

If this question is outside the scope of this list but better suited to be asked freebsd-pf, apologies in advance.  Since the question is not about the development of the firewall itself, I thought it appropriate to ask here.

From owner-freebsd-questions@FreeBSD.ORG  Wed Oct 10 01:51:38 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id C1E7A667
 for <questions@freebsd.org>; Wed, 10 Oct 2012 01:51:38 +0000 (UTC)
 (envelope-from idyk6917@126.com)
Received: from m15-64.126.com (m15-64.126.com [220.181.15.64])
 by mx1.freebsd.org (Postfix) with ESMTP id D6DD88FC16
 for <questions@freebsd.org>; Wed, 10 Oct 2012 01:51:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d6.com;
 s=s110527; h=Received:Date:From:To:Subject:Content-Type:
 MIME-Version:Message-ID; bh=zE/eJywrfYWOS5JrMLufYtyY4Y6GDDJXJa5J
 dBL4Heo=; b=LI/cqsq17fl0iFbHH/Tbdkem52QVbKGTCdSYGVq835m0SwiZG+lj
 yRMx8anuwSJYZ1B1U+GJ54JAurbiCDYaa85xkviUmqEzCcj2cWD5Ppd/qfWj8axn
 ZRQO5R68YGYILcZAMW6KeQiv/GHfllbGqF2Wy0dJZo6MpIevp76LY5UReceived: from idyk6917$126.com ( [183.31.201.163] ) by ajax-webmail-wmsvr64
 (Coremail) ; Wed, 10 Oct 2012 09:51:33 +0800 (CST)
X-Originating-IP: [183.31.201.163]
Date: Wed, 10 Oct 2012 09:51:33 +0800 (CST)
From: idyk6917 <idyk6917@126.com>
To: questions@freebsd.org
Subject: efgssdfg
X-Priority: 3
X-Mailer: Coremail Webmail Server Version SP_ntes V3.5 build
 20120914(19817.4926.4909) Copyright (c) 2002-2012 www.mailtech.cn 126com
X-CM-CTRLDATA: ACnzJ2Zvb3Rlcl9odG09MTQ1Mjo4MQ=MIME-Version: 1.0
Message-ID: <27e73253.14ca0.13a485ea7da.Coremail.idyk6917@126.com>
X-CM-TRANSID: QMqowEA530Ol1HRQO5oUAA--.2232W
X-CM-SenderInfo: plg1ylqzrxqiyswou0bp/1tbitRNC+UX9jDcnAAABs4
X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU=Content-Type: text/plain; charset=gbk
Content-Transfer-Encoding: base64
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>,
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>;
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Oct 2012 01:51:38 -0000

vfHE6sewOLj21MKjrLmk0NDGsb7d06rStbK/wNu8xsaxvt29u9LXwb82NDA00trUqqOszayxyNT2
vNMzMTIz0trUqqOs1Pa3+Tk1JaGj1rW1w9K7zOG1xMrHo6zOqjY3vNLW0NChxvPStdaxvdOw7MDt
xrG+3cz5z9bStc7xNjI1scqjrL3wtu4yMS4yONLa1Kqju8DbvMbC8sjrMS44zfK80tbQ0KHG89K1
16rM+c/WxrG+3TIxNTXS2tSqCtK1xNq31s72yMvKv8jPzqqjrNTa0MW0+7nmxKPP4LbUv+3LyaOs
u/LV39K7sOPQ1LT7v+7Q6Mfzz+C21LK71+O1xMfpv/bPwqOsxrG+3cja18rT4Lbuvc+/7NT2s6Sj
rL3wyNq7+rm5wPvTw8axvt3I2tfK1/a087T7v+7T4LbuoaO21NPa0KHG89K1tvjR1KOs0+u3otDQ
ucnGsaGi1a7Ir6Gi0vjQ0L3otPu1yLbg1tbI2tfKx/61wM/gscijrMaxvt3I2tfKuPzE3Lm709DQ
p73ivvbU2tL40NC0+7/uxNGhos/e1sbM9bz+tuC1yM7KzOKjrLKix9LE3Lm71Nq9z7bMtcTKsbzk
xNq1zbPJsb7EvLyv18q98KGjCtPQubK3orP2tb3KsbzkxrHE2s3qs8kKvt28x9Xfwcu94qOs1tDQ
ocbz0rW/zbunxrG+3cja18q1xMG0zPWx7c/WzqqjutGwx/PS+NDQtPu/7i3Xqruvzqq05r/ut8XU
2tL40NAtv827p9LUtMu05r/uv6qz9jEwMCWxo9akvfC1xNL40NCz0LbSu+PGsS278bXDxrG+3brz
v827p9TZ0bDV0saxvt3W0L3psPzXsMOz0texs76wLdTZtb3S+NDQzPnP1i278bXD18q98KOstauy
u8nZxvPStbbUw7PS18ja18qxs76wvfjQ0NDpvNmhsLD817AKCtfJ0a86osWix6LNODAwosqizaLJ
osYKCrmry76/ybHtyKXJz7qjv6q74bXE
From owner-freebsd-questions@FreeBSD.ORG  Wed Oct 10 02:01:32 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 72F54899
 for <freebsd-questions@freebsd.org>; Wed, 10 Oct 2012 02:01:32 +0000 (UTC)
 (envelope-from joji@eskimo.com)
Received: from ultra7.eskimo.com (ultra7.eskimo.com [204.122.16.70])
 by mx1.freebsd.org (Postfix) with ESMTP id 2FD048FC08
 for <freebsd-questions@freebsd.org>; Wed, 10 Oct 2012 02:01:31 +0000 (UTC)
Received: from shellx.eskimo.com (root@shellx.eskimo.com [204.122.16.5])
 by ultra7.eskimo.com (8.14.0/8.14.3) with ESMTP id q9A1tPpK020836
 for <freebsd-questions@freebsd.org>; Tue, 9 Oct 2012 18:55:25 -0700
Received: from shellx.eskimo.com (localhost [127.0.0.1])
 by shellx.eskimo.com (8.14.4/8.14.4) with ESMTP id q9A1tSWD030030
 for <freebsd-questions@freebsd.org>; Tue, 9 Oct 2012 18:55:28 -0700
Received: (from joji@localhost)
 by shellx.eskimo.com (8.14.4/8.14.4/Submit) id q9A1tSKE030029
 for freebsd-questions@freebsd.org; Tue, 9 Oct 2012 18:55:28 -0700
Date: Tue, 9 Oct 2012 18:55:28 -0700
From: Joseph Olatt <joji@eskimo.com>
To: freebsd-questions@freebsd.org
Subject: freebsd-texlive port
Message-ID: <20121010015528.GA29059@shellx.eskimo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-12-10)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>,
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>;
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Oct 2012 02:01:32 -0000

Hi,

According to:

  http://code.google.com/p/freebsd-texlive

I got the impression that the texlive is now available in the ports. My
understanding was that we no longer need to use portshaker(8). I've
updated svn of ports to r305607 and I still don't see texlive* in
/usr/ports/print or any where in /usr/ports.

I'm running: FreeBSD 9.0 STABLE i386

Can any TeX Live / LaTeX users on the list shed some light?

Thanks

help

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1349828212.549.YahooMailNeo>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact