From owner-freebsd-pf@FreeBSD.ORG Wed May 7 21:14:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D153D106567B for ; Wed, 7 May 2008 21:14:14 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 3ED1D8FC12 for ; Wed, 7 May 2008 21:14:13 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: by nf-out-0910.google.com with SMTP id h3so473178nfh.33 for ; Wed, 07 May 2008 14:14:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=VNbWj+9YKhTLVwHnVCw8X+QDR2NpcO3fawc7YbQXGpk=; b=p1ryGgML35PsCfLtlhXXV+el4LNpomWvCieAL32GrVmsrw7bXDlCs9xph8T5QqPyd1ZaKlWPG1MuKdznRP0weLmDm02q4LM6Vqug1byZVyzSg/00eAyaDlpGGl113cKx5MZ19QRDacDTdueMo5bMHRLAenYDUIAASCD3j9iby3c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=bgMN3EIddinCRconSuWFsv42JDu4pcIZtWeCCdg7/Lz0/E3GhSJr5f+DXI/1szcM/sllqsTUjkl9XFkHPR92g+96/VFgB3fSEzIqQWyMbgdUSKavVpTU1yQCU9pRfytcHhUkpsQ2aPbK+y7+flib0N+oGNc7aWr77z6Xx7fq860= Received: by 10.78.179.12 with SMTP id b12mr712451huf.61.1210193327498; Wed, 07 May 2008 13:48:47 -0700 (PDT) Received: by 10.78.162.8 with HTTP; Wed, 7 May 2008 13:48:47 -0700 (PDT) Message-ID: <139b44430805071348x4b20f4b0oe281eaf61380f046@mail.gmail.com> Date: Wed, 7 May 2008 23:48:47 +0300 From: "Valentin Bud" To: freebsd-pf MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: proftpd and pf weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 21:14:14 -0000 Hello to you all, Last week i've begun to have problem with an HUAWEI E220 HSDPA modem when connecting to proftpd server. First thing i want to mention is that the thing that i'll describe here only happens when i connect from that modem. First of all the topology of the servers: ISP----[bridged modem]-----[FreeBSD mpd4+pf]----[FreeBSD proftpd] the pf rules that redirect traffic to proftpd: rdr pass on $EXT_IF proto tcp from any to $EXT_IF port 21 -> port 21 rdr pass on $EXT_IF proto tcp from any to $EXT_IF port 59000:59100 -> port 59000:59100 DMZ_HOST (192.168.1.2) being the FreeBSD 6.2-RELEASEp6 box that runs - ProFTPD Version 1.3.1 no firewall running on DMZ_HOST here is the relevant ouput that the server gives when the ftp session is closed: 12.34.56.78 (213.233.102.254[213.233.102.254]) - Entering Passive Mode (192,168,1,2,230,167). 12.34.56.78 (213.233.102.254[213.233.102.254]) - dispatching POST_CMD command 'PASV' to mod_sql 12.34.56.78 (213.233.102.254[213.233.102.254]) - dispatching LOG_CMD command 'PASV' to mod_sql 12.34.56.78 (213.233.102.254[213.233.102.254]) - dispatching LOG_CMD command 'PASV' to mod_log 12.34.56.78 (213.233.102.254[213.233.102.254]) - FTP session closed. tcpdump output from the [mpd4+pf] box: 14:04:58.299572 AF IPv4 (2), length 94: 12.34.56.78.21 > 213.233.102.254.40437: P 261:311(50) ack 92 win 65535 0x0000: 4500 005a be9c 4000 3f06 0f55 597a d74a E..Z..@.?..UYz.J 0x0010: d5e9 66fe 0015 9df5 2ded 1879 01dc 346b ..f.....-..y..4k 0x0020: 5018 ffff aea7 0000 3232 3720 456e 7465 P.......227.Ente 0x0030: 7269 6e67 2050 6173 7369 7665 204d 6f64 ring.Passive.Mod 0x0040: 6520 2831 3932 2c31 3638 2c31 2c32 2c32 e.(192,168,1,2,2 0x0050: 3330 2c31 3637 292e 0d0a 30,167)... 14:04:58.348823 AF IPv4 (2), length 94: 213.233.102.254.40437 > 12.34.56.78.21: R 92:142(50) ack 261 win 65535 0x0000: 4500 005a be9c 4000 2806 2655 d5e9 66fe E..Z..@.(.&U..f. 0x0010: 597a d74a 9df5 0015 01dc 346b 2ded 1879 Yz.J......4k-..y 0x0020: 5014 ffff aeab 0000 3232 3720 456e 7465 P.......227.Ente 0x0030: 7269 6e67 2050 6173 7369 7665 204d 6f64 ring.Passive.Mod 0x0040: 6520 2831 3932 2c31 3638 2c31 2c32 2c32 e.(192,168,1,2,2 0x0050: 3330 2c31 3637 292e 0d0a 30,167)... The last snippet from tcpdump shows (as far as i know) that the huawei modem sends an R and that the server (before) that reset sends the PASV port answer. If i am not right please correct me. The ppp connection made from the modem receives an ip from 172.16/12 private class which gets nat-ed to the 213.* ip from the logs. If it matters the modem is from Vodafone. I will attach the proftpd config file. I think that vodafone does some check on packets and it doesn't like that the connection to the ftp server passes through the [mpd4+pf] box. Configuring proftpd on the [mpd4+pf] box works like a charm. This is a viable solution but i want to find out what happens. Any hints to dig further are more than welcomed. Thank you. PS: the 12.34.56.78 ip is bogus to protect my server's identity, everything else is copy paste from server output. -- Kind Regards, Valentin Bud www.syk.ro www.spreadbsd.org/aff/86/1 www.spreadbsd.org/aff/86/2 valentin [dot] bud [at] gmail [dot] com valentin [dot] bud [at] dep [dot] upt [dot] ro