From owner-freebsd-questions@FreeBSD.ORG  Mon Oct  6 18:50:32 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 863881065688
	for <questions@freebsd.org>; Mon,  6 Oct 2008 18:50:32 +0000 (UTC)
	(envelope-from jdc@koitsu.dyndns.org)
Received: from QMTA06.westchester.pa.mail.comcast.net
	(qmta06.westchester.pa.mail.comcast.net [76.96.62.56])
	by mx1.freebsd.org (Postfix) with ESMTP id 013718FC1A
	for <questions@freebsd.org>; Mon,  6 Oct 2008 18:50:31 +0000 (UTC)
	(envelope-from jdc@koitsu.dyndns.org)
Received: from OMTA07.westchester.pa.mail.comcast.net ([76.96.62.59])
	by QMTA06.westchester.pa.mail.comcast.net with comcast
	id PTli1a07Q1GhbT856TliLP; Mon, 06 Oct 2008 15:45:42 +0000
Received: from koitsu.dyndns.org ([69.181.141.110])
	by OMTA07.westchester.pa.mail.comcast.net with comcast
	id PTlh1a0062P6wsM3TTlhw0; Mon, 06 Oct 2008 15:45:42 +0000
X-Authority-Analysis: v=1.0 c=1 a=Bi7WTiXYFiAA:10 a=6uhbD-GUg2YA:10
	a=QycZ5dHgAAAA:8 a=RfbDBADHkK9yAVenMywA:9 a=9qK0ZvvTxZqYHng7RyIA:7
	a=lRmP97UDbBsNdpRG_TMAyqn5sXcA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10
Received: by icarus.home.lan (Postfix, from userid 1000)
	id CE3AEC9419; Mon,  6 Oct 2008 08:45:40 -0700 (PDT)
Date: Mon, 6 Oct 2008 08:45:40 -0700
From: Jeremy Chadwick <koitsu@FreeBSD.org>
To: "Michael K. Smith - Adhost" <mksmith@adhost.com>
Message-ID: <20081006154540.GA24585@icarus.home.lan>
References: <17838240D9A5544AAA5FF95F8D52031604BE2EC8@ad-exh01.adhost.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <17838240D9A5544AAA5FF95F8D52031604BE2EC8@ad-exh01.adhost.lan>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: questions@freebsd.org
Subject: Re: Problem with Passive FTP through PF
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Oct 2008 18:50:32 -0000

On Mon, Oct 06, 2008 at 08:00:11AM -0700, Michael K. Smith - Adhost wrote:
> Hello All:
> 
> We are running the following:
> - FreeBSD 6.3 Release #1
> - PF
> - pftpx for our ftp proxy
> 
> We have several ftp servers of different flavors behind the PF firewalls and we are getting a lot of the following when users are trying to connect using passive mode.
> 
> "Server sent passive reply with unroutable address"
> 
> We're running pftpx as a daemon with no specific flags.  From a ps:
> 
> proxy         4845  0.0  0.0  1452  1100  ??  Is   27Sep08   0:02.13 /usr/local/sbin/pftpx
> 
> Here is a sample of the rules we are using to allow traffic and to proxy.  The server macros are defined and working correctly.  Any help would be greatly appreciated.
> 
> nat-anchor "pftpx/*"
> rdr-anchor "pftpx/*"
> rdr on ! $vlan10_if proto { udp tcp } from any to $f1_cps01_ext0 port { 80 443 2087 2083 ftp 49152:65535 } -> $f1_cps01_int0 sticky-address
> rdr on ! $vlan10_if proto { udp tcp } from any to $f1_cps01_ext1 port { 80 443  ftp 49152:65535 } -> $f1_cps01_int1 sticky-address

I can't help you with regards to the "rdr" rules, as I'm still fairly
unfamiliar with redirecting packets around, but with regards to actual
firewall rules, these are what we use on our RELENG_6 boxes.  (On
RELENG_7, you can use the same thing, but remove the "flags S/SA keep
state" portion -- it's implicit).


# Punch holes for FTP.  The rule looks complex, so here it is explained:
# - Make sure pass rule only applies to the XXXXX IP (ftp.server.com)
# - Permit incoming connections to port 21 (main FTP service)
# - Permit incoming connections to ports 49152-65535 (FTP passive mode)
# - TCP port 20 is actually for **outbound** connections in FTP active mode,
#   and since we allow all outbound traffic, we don't need a rule for it.
# - TCP ports 49152-65535 come from ftpd(8) and ip(4) manpages; there are
#   sysctl(8) knobs for theses, but we shouldn't mess with those.
#
pass in quick on $ext_if proto tcp from any to XXXXX port { ftp, 49152:65535 } flags S/SA keep state


Hope this helps, particularly the comments in our pf.conf.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |