From owner-freebsd-pf@FreeBSD.ORG Wed Apr 11 01:07:35 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EC25416A403 for ; Wed, 11 Apr 2007 01:07:35 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from ms-smtp-04.ohiordc.rr.com (ms-smtp-04.ohiordc.rr.com [65.24.5.138]) by mx1.freebsd.org (Postfix) with ESMTP id B8FAD13C480 for ; Wed, 11 Apr 2007 01:07:35 +0000 (UTC) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-71-64-129-15.woh.res.rr.com [71.64.129.15]) by ms-smtp-04.ohiordc.rr.com (8.13.6/8.13.6) with SMTP id l3B17Yda006922 for ; Tue, 10 Apr 2007 21:07:34 -0400 (EDT) Message-ID: <000301c77bd5$ded6ad50$0200a8c0@satellite> From: "Dave" To: Date: Tue, 10 Apr 2007 21:08:08 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: issues with ftp from windows X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dave List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2007 01:07:36 -0000 Hello, I'm having issues with getting ftp to work on Windows boxes, specifically xpsp2 protected by a pf firewall. I'm running pftpx on FreeBSD 6.2. Unix clients can ftp fine, I do have occational issues with not being able to list directory contents but overall it works fine. Windows clients i get a can not find file messageeverytime, i've tried both active and passive mode in explorer ie6 to be specific no good. Here's the relevant portions of my config: # define the two network interfaces ext_if = "rl0" int_if = "xl0" # gateway ftp, user restricted passive or active # I had to do this so that the firewall box could ftp ftp_users="{root, proxy}" scrub all reassemble tcp no-df random-id max-mss 1400 nat on $ext_if from 192.168.1.0/24 to any -> ($ext_if) nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr pass on $int_if inet proto tcp from 192.168.1.0/24 to any port ftp -> 127.0.0.1 port 8021 block log all anchor "pftpx/*" pass out quick on $ext_if inet proto tcp from ($ext_if) to any port { ftp-data, ftp } keep state pass in quick on $int_if inet proto tcp from 192.168.1.0/24 to any port { ftp-data, ftp } keep state # These were also needed to allow ftp from the router # Allow ftp control and passive data connections outbound pass quick inet proto tcp from ($ext_if) to any user proxy keep state # Allow ftp active data connections inbound pass quick inet proto tcp from any to ($ext_if) user proxy keep state # Passive mode connection? pass quick inet proto tcp from port 20 to any user proxy keep state # For FTP servers that violate RFC 959? pass quick inet proto tcp from any to $int_if user proxy keep state I've tried doing a tcpdump on the pflog0 interface while a windows box is trying to ftp, i'm not getting any output at all. Trying the same command on the internal interface of the router, floods me with arp and again i see nothing useful. Any help appreciated. Thanks. Dave.