From owner-freebsd-pf@FreeBSD.ORG  Thu Oct 21 14:47:50 2010
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 20A76106566C
	for <freebsd-pf@freebsd.org>; Thu, 21 Oct 2010 14:47:50 +0000 (UTC)
	(envelope-from ml-lists@agoris.net.ua)
Received: from relay.netserv.kiev.ua (relay.netserv.kiev.ua [88.81.237.190])
	by mx1.freebsd.org (Postfix) with ESMTP id A33CE8FC13
	for <freebsd-pf@freebsd.org>; Thu, 21 Oct 2010 14:47:49 +0000 (UTC)
Received: from sa1.mcnet (sa1.mcnet [172.26.139.41])
	by relay.netserv.kiev.ua (8.13.5/8.13.5) with ESMTP id o9LEFoTY022302
	for <freebsd-pf@freebsd.org>; Thu, 21 Oct 2010 17:15:51 +0300
Date: Thu, 21 Oct 2010 17:17:39 +0300
From: Subscriber <ml-lists@agoris.net.ua>
X-Priority: 3 (Normal)
Message-ID: <1942060152.20101021171739@agoris.net.ua>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Drweb-SpamState: no
X-Drweb-SpamScore: -70
Subject: Ftp + pf + Two ISP ---> no luck
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Subscriber <ml-lists@agoris.net.ua>
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2010 14:47:50 -0000

=0D=0AHi All.

First of all sorry for my bad English.

I have some problem with two ISP and ftp service on FreeBSD box. A
few days I try to resolve the problem, but no luck. Googling does not
help me to. My brain soon blowup. So=E2=80=A6. pls help me.

I want, that my ftp service was accessible from ISP1 and ISP2. I can
log in my ftp from outside, but when I try to download files, or
opening the folders with big number of files, my server is "freeze",
and download newer happened. Some times ftp-server "unfreez" for very
short time, at this moment:

load averages:  9.24,  2.69,  1.18
36 processes:  7 running, 29 sleeping
CPU:  0.0% user,  0.0% nice,  0.0% system, 99.9% interrupt,  0.1% idle
Mem: 24M Active, 350M Inact, 75M Wired, 14M Cache, 60M Buf, 30M Free
Swap: 512M Total, 32K Used, 512M Free

In the ftp-server logs (vsftpd) I see next:

=3D=3D=3D=3D=3D=3D=3D start cut of log =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client
"ip_was_replaced", "PASV"
Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client
"ip_was_replaced", "227 Entering Passive Mode
(xxx,xxx,xxx,136,195,80)."
Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client
"ip_was_replaced", "RETR
Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe"
Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client
"ip_was_replaced", "150 Opening BINARY mode data connection for
Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe (1235728
bytes)."
Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client
"ip_was_replaced", "426 Failure writing network stream."
Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FAIL DOWNLOAD: Client
"ip_was_replaced",
"/pub/drivers/intel/Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15=
.2.exe",
33580 bytes, 0.86Kbyte/sec
Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP command: Client
"ip_was_replaced", "????ABOR"
Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client
"ip_was_replaced", "225 No transfer to ABOR."

and so on...
=3D=3D=3D=3D=3D=3D=3D end cut of log =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D

About my system:
# uname -rsm
FreeBSD 8.1-RELEASE i386

Ftp servers in passive mode:
vsftpd-2.3.2 (Listen on port 21)
proftpd-1.3.3a (Listen on port 2121)

pf - as firewall, kernel compiled with:
device          pf
device          pflog
options         ALTQ
options         ALTQ_CBQ
options         ALTQ_RED
options         ALTQ_RIO
options         ALTQ_HFSC
options         ALTQ_CDNR
options         ALTQ_PRIQ
options         ALTQ_NOPCC

my pf.conf:
=3D=3D=3D=3D=3D=3D=3Dstart of pf.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
# macros
# internal interface
int_if =3D "fxp0"

ext_if =3D "{ fxp1, fxp2 }"

# interface to isp1 and isp2
ext_if1 =3D "fxp1"
ext_if2 =3D "fxp2"

#gateway for isp1 and isp2
ext_gw1 =3D "xxx.xxx.xxx.129"
ext_gw2 =3D "xxx.xxx.xxx.3"

# ftp ports
ftp_serv =3D "{ 21, 2121, 50000:50100 }"

icmp_types =3D "{ echoreq }"
priv_nets =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8 }"
ftp_allowed_ip =3D "{ xxx.xxx.xxx.xxx }"

# options
set block-policy drop
#set loginterface $ext_if

# scrub
scrub in all
# nat
nat on $ext_if1 inet from $int_if:network to any -> ($ext_if1)
nat on $ext_if2 inet from $int_if:network to any -> ($ext_if2)

# filter rules
block all
block in quick on $ext_if inet proto udp from any port 137:139 \
        to any port 137:139
block log on $ext_if all

pass quick on lo0 all

block in quick on $ext_if from $priv_nets to any
block out quick on $ext_if from any to $priv_nets

pass out on $ext_if1 inet from $ext_if1 to any
pass out on $ext_if2 inet from $ext_if2 to any
pass out route-to ($ext_if2 $ext_gw2) inet from ($ext_if2) keep state
pass out route-to ($ext_if1 $ext_gw1) inet from ($ext_if1) keep state

# icmp rules
pass in quick on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
    proto icmp from any to $ext_if1 icmp-type $icmp_types keep state
pass in quick on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \
    proto icmp from any to $ext_if2 icmp-type $icmp_types keep state
pass out quick inet proto icmp all keep state

# for local network out
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

#ftp service
pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
    proto tcp from $ftp_allowed_ip to ($ext_if1) \
    port $ftp_serv flags S/SA keep state

pass in on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \
    proto tcp from $ftp_allowed_ip to ($ext_if2) \
    port $ftp_serv flags S/SA keep state

pass out quick on $ext_if proto tcp all modulate state flags S/SA
pass out quick on $ext_if proto { udp, icmp } all keep state

=3D=3D=3D=3D=3D=3D=3D-end of pf.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D

If I replace rule
pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
    proto tcp from $ftp_allowed_ip to ($ext_if1) \
    port $ftp_serv flags S/SA keep state

to
pass in on $ext_if1 inet \
    proto tcp from $ftp_allowed_ip to ($ext_if1) \
    port $ftp_serv flags S/SA keep state

then ftp-server accessible from ISP1, but from ISP2 - no.


--=20
Best regards,
 Subscriber                          mailto:ml-lists@agoris.net.ua