From owner-freebsd-isp@FreeBSD.ORG Wed Jul 21 10:50:11 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1501116A4D1 for ; Wed, 21 Jul 2004 10:50:11 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.206]) by mx1.FreeBSD.org (Postfix) with SMTP id E40FC43D4C for ; Wed, 21 Jul 2004 10:50:05 +0000 (GMT) (envelope-from davehart@gmail.com) Received: by mproxy.gmail.com with SMTP id 73so730166rne for ; Wed, 21 Jul 2004 03:50:05 -0700 (PDT) Received: by 10.38.209.56 with SMTP id h56mr722618rng; Wed, 21 Jul 2004 03:50:05 -0700 (PDT) Message-ID: <85d954180407210350ba2a50e@mail.gmail.com> Date: Wed, 21 Jul 2004 10:50:05 +0000 From: Dave Hart To: freebsd-isp@freebsd.org In-Reply-To: <00c001c46e73$aa853ed0$65c45741@don> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <00c001c46e73$aa853ed0$65c45741@don> cc: davehart@davehart.com cc: CPU Customer Support Subject: Re: bridging firewall => proftpd issue. X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jul 2004 10:50:11 -0000 CPU Customer Support wrote: [...] > Bridging firewall running FreeBSD 4.9 compiled for the security branch, > and IPFW. It seems that just as I installed this firewall, a customer > is no longer able to ftp into our main Redhat machine. [...] > It looks at first like a passive/active issue, but, I've > opened the appropriate ports on the firewall, and even assigned the > passive ports in Proftpd. He has tried passive and active modes both, > with the same results. Mind you all other customers do not have any > issues. > > Session Transcript: > > Jul 19 17:24:04 host04 proftpd[32507]: cpu-net.com > (70-240-21-3.ded.swbell.net[70.240.21.3]) - Refused PORT > 192,168,100,3,8,118 (address mismatch) > Jul 19 17:24:13 host04 proftpd[32507]: cpu-net.com > (70-240-21-3.ded.swbell.net[70.240.21.3]) - FTP session closed. It does as you say look like an active/passive issue, as you put it, or as I like to put it, an example of how people installing NATs break end-to-end connectivity. Curious, then, that you only supply logs of an active attempt, which is bound to fail with the previously-noted 192.168.100.3:118 address in the PORT command. > The ip range that he's coming from was just recently issued by SBC > recently. I've also tried opening all ports and ips to this ip address > for him. To no avail. > > The customer did not have any issues prior to installing the Freebsd > firewall/bridge. He was also using the current ip address prior as > well. OK, I find this interesting. I'm a dirty bastard so I happened to remember that 69.0.0.0/8 was recently allocated, so I dug and verified 70.0.0.0/8 is also newly assigned. It was a "bogon" until 15 January 2004. http://www.apnic.net/mailing-lists/apops/archive/2004/01/msg00007.html Perhaps some piece of equipment along the path is attempting to filter bogons and not being kept up to date with IP allocations. Maybe not, but since the IPs are so green I thought I should toss it out there even with the apparently obvious NAT-sucks-by-design FTP PORT problem. Cheers, Dave Hart