Date: Wed, 09 Nov 2005 10:50:59 +1100 From: Michael VInce <mv@roq.com> To: Dave <dmehler26@woh.rr.com> Cc: freebsd-pf@freebsd.org Subject: Re: continuing issue with ftp from gateway Message-ID: <437139E3.2050804@roq.com> In-Reply-To: <004f01c5e48a$2d0db520$0900a8c0@satellite> References: <004f01c5e48a$2d0db520$0900a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
I was having trouble implementing the ftp-proxy daemon as well I got it working after doing a few things, I upgraded to 6.0 (its a old U1 Sparc64 Sun netra) I discovered from the pf.conf man that it says "the use of the group and user filter parameter in conjunction with a Giant-free netstack can result in a deadlock. If you have to use group or user you must set debug.mpsafenet to ``0'' from the loader(8), for the moment." So I set the systctl correctly, in loader.conf debug.mpsafenet="0" I hacked my firewall rules even more, and it does work. no one can do anything ftp wise without going through the daemon as user proxy # Redirect rules - ftp-proxy rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # FTP all "user proxy" based no direct connections pass out quick on tun0 proto tcp from any to any port = 21 user proxy modulate state pass in quick on $ext_if inet proto tcp from any port = 20 to any user proxy flags S/SA modulate state pass out quick on tun0 proto tcp from any to any port > 49151 user proxy modulate state The firewall rules are still a bit dodge compared to the official examples given for PF but its all I need. Dave wrote: > Hello, > I'm still having issues with ftp. I've got a 6.0 machine acting as > a firewall/gateway for my network of natted machines. Machines behind > the gateway can ftp passively just fine, active no. The gateway can't > do either or. I've run some tcpdump and the block by default rule is > stopping incoming responses from the server. Here's what it does: > > #tcpdump -ne -i pflog0 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture > size 96 bytes > 10:47:48.366148 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss > 1400,nop,wscale 2,[|tcp]> > 10:47:51.364561 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss > 1400,nop,wscale 2,[|tcp]> > 10:47:54.565823 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss > 1400,nop,wscale 2,[|tcp]> > 10:47:57.764719 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400> > 10:48:00.965150 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400> > 10:48:04.164963 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400> > 10:48:10.365495 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400> > 10:48:22.566832 rule 0/0(match): block in on rl0: 130.94.149.162.20 > > 65.31.43.91.55881: S 2366919182:2366919182(0) win 65535 <mss 1400> > ^C > 8 packets captured > 8 packets received by filter > 0 packets dropped by kernel > > My inetd is running ftp-proxy and inetd is listening on 127.0.0.1 > here's my inetd.conf entry: > > ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u > proxy -m 55000 -M 57000 -t 180 > > Here's my ftp entries in pf.conf, ext_if and int_if are my external > and internal network interfaces and int_net is a macro that says > $int_if:network, and the $tcp_state is another one that says flags > S/SA modulate state. > # Redirect lan client FTP requests (to an FTP server's control port 21) > # to the ftp-proxy running on the firewall host (via inetd on port 8021) > rdr on $int_if inet proto tcp from $int_net to any port 21 -> > 127.0.0.1 port 8021 > > # Allow remote FTP servers (on data port 20) to respond to the proxy's > # active FTP requests by contacting it on the port range specified in > inetd.conf > pass in quick on $ext_if inet proto tcp from any port 20 to $ext_if > port 55000 >< 57000 user proxy $tcp_state > pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 > port 55000 >< 57000 user proxy $tcp_state > > # Allow ftp-proxy packets destined to port 20 to exit $ext_if > # in order to maintain communications with the ftp server > pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 > $tcp_state > > # Allow firewall to contact ftp server on behalf of passive ftp client > pass out quick on $ext_if inet proto tcp from $ext_if port > 55000:57000 to any user proxy $tcp_state > pass out quick on $ext_if inet proto tcp from $int_net port > 55000:57000 to any user proxy $tcp_state > > # allow ftp connections from lan to proxy > pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021 > $tcp_state > pass in quick on $int_if inet proto tcp from $int_net to $ext_if port > 55000:57000 $tcp_state > > Any help appreciated. > Thanks. > Dave. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?437139E3.2050804>