Date: Mon, 6 Oct 2008 08:45:40 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: "Michael K. Smith - Adhost" <mksmith@adhost.com> Cc: questions@freebsd.org Subject: Re: Problem with Passive FTP through PF Message-ID: <20081006154540.GA24585@icarus.home.lan> In-Reply-To: <17838240D9A5544AAA5FF95F8D52031604BE2EC8@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D52031604BE2EC8@ad-exh01.adhost.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 06, 2008 at 08:00:11AM -0700, Michael K. Smith - Adhost wrote:
> Hello All:
>
> We are running the following:
> - FreeBSD 6.3 Release #1
> - PF
> - pftpx for our ftp proxy
>
> We have several ftp servers of different flavors behind the PF firewalls and we are getting a lot of the following when users are trying to connect using passive mode.
>
> "Server sent passive reply with unroutable address"
>
> We're running pftpx as a daemon with no specific flags. From a ps:
>
> proxy 4845 0.0 0.0 1452 1100 ?? Is 27Sep08 0:02.13 /usr/local/sbin/pftpx
>
> Here is a sample of the rules we are using to allow traffic and to proxy. The server macros are defined and working correctly. Any help would be greatly appreciated.
>
> nat-anchor "pftpx/*"
> rdr-anchor "pftpx/*"
> rdr on ! $vlan10_if proto { udp tcp } from any to $f1_cps01_ext0 port { 80 443 2087 2083 ftp 49152:65535 } -> $f1_cps01_int0 sticky-address
> rdr on ! $vlan10_if proto { udp tcp } from any to $f1_cps01_ext1 port { 80 443 ftp 49152:65535 } -> $f1_cps01_int1 sticky-address
I can't help you with regards to the "rdr" rules, as I'm still fairly
unfamiliar with redirecting packets around, but with regards to actual
firewall rules, these are what we use on our RELENG_6 boxes. (On
RELENG_7, you can use the same thing, but remove the "flags S/SA keep
state" portion -- it's implicit).
# Punch holes for FTP. The rule looks complex, so here it is explained:
# - Make sure pass rule only applies to the XXXXX IP (ftp.server.com)
# - Permit incoming connections to port 21 (main FTP service)
# - Permit incoming connections to ports 49152-65535 (FTP passive mode)
# - TCP port 20 is actually for **outbound** connections in FTP active mode,
# and since we allow all outbound traffic, we don't need a rule for it.
# - TCP ports 49152-65535 come from ftpd(8) and ip(4) manpages; there are
# sysctl(8) knobs for theses, but we shouldn't mess with those.
#
pass in quick on $ext_if proto tcp from any to XXXXX port { ftp, 49152:65535 } flags S/SA keep state
Hope this helps, particularly the comments in our pf.conf.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081006154540.GA24585>