Date: Thu, 21 Oct 2010 16:13:41 -0500 From: Tom Judge <tom@tomjudge.com> To: Subscriber <ml-lists@agoris.net.ua> Cc: freebsd-pf@freebsd.org Subject: Re: Ftp + pf + Two ISP ---> no luck Message-ID: <4CC0AD05.90607@tomjudge.com> In-Reply-To: <1942060152.20101021171739@agoris.net.ua> References: <1942060152.20101021171739@agoris.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/21/2010 09:17 AM, Subscriber wrote:
> Hi All.
>
> First of all sorry for my bad English.
>
> I have some problem with two ISP and ftp service on FreeBSD box. A
> few days I try to resolve the problem, but no luck. Googling does not
> help me to. My brain soon blowup. So…. pls help me.
>
> I want, that my ftp service was accessible from ISP1 and ISP2. I can
> log in my ftp from outside, but when I try to download files, or
> opening the folders with big number of files, my server is "freeze",
> and download newer happened. Some times ftp-server "unfreez" for very
> short time, at this moment:
>
You need something like:
pass in on $ext_if1 inet proto tcp from any to $isp1_ip port 21 reply-to
( $ext_if1 $isp1_gw )
pass in on $ext_if2 inet proto tcp from any to $isp2_ip port 21 reply-to
( $ext_if2 $isp2_gw )
And the same for the passive port range you configure in the ftp daemon.
TJ
> load averages: 9.24, 2.69, 1.18
> 36 processes: 7 running, 29 sleeping
> CPU: 0.0% user, 0.0% nice, 0.0% system, 99.9% interrupt, 0.1% idle
> Mem: 24M Active, 350M Inact, 75M Wired, 14M Cache, 60M Buf, 30M Free
> Swap: 512M Total, 32K Used, 512M Free
>
> In the ftp-server logs (vsftpd) I see next:
>
> ======= start cut of log ====================
> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client
> "ip_was_replaced", "PASV"
> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client
> "ip_was_replaced", "227 Entering Passive Mode
> (xxx,xxx,xxx,136,195,80)."
> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP command: Client
> "ip_was_replaced", "RETR
> Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe"
> Thu Oct 21 16:16:36 2010 [pid 92431] [ftpusr] FTP response: Client
> "ip_was_replaced", "150 Opening BINARY mode data connection for
> Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe (1235728
> bytes)."
> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client
> "ip_was_replaced", "426 Failure writing network stream."
> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FAIL DOWNLOAD: Client
> "ip_was_replaced",
> "/pub/drivers/intel/Intel.Boot.Agent.for.Intel.Network.Adapters.PROBOOT.v15.2.exe",
> 33580 bytes, 0.86Kbyte/sec
> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP command: Client
> "ip_was_replaced", "????ABOR"
> Thu Oct 21 16:17:14 2010 [pid 92431] [ftpusr] FTP response: Client
> "ip_was_replaced", "225 No transfer to ABOR."
>
> and so on...
> ======= end cut of log ====================
>
> About my system:
> # uname -rsm
> FreeBSD 8.1-RELEASE i386
>
> Ftp servers in passive mode:
> vsftpd-2.3.2 (Listen on port 21)
> proftpd-1.3.3a (Listen on port 2121)
>
> pf - as firewall, kernel compiled with:
> device pf
> device pflog
> options ALTQ
> options ALTQ_CBQ
> options ALTQ_RED
> options ALTQ_RIO
> options ALTQ_HFSC
> options ALTQ_CDNR
> options ALTQ_PRIQ
> options ALTQ_NOPCC
>
> my pf.conf:
> =======start of pf.conf ====================
> # macros
> # internal interface
> int_if = "fxp0"
>
> ext_if = "{ fxp1, fxp2 }"
>
> # interface to isp1 and isp2
> ext_if1 = "fxp1"
> ext_if2 = "fxp2"
>
> #gateway for isp1 and isp2
> ext_gw1 = "xxx.xxx.xxx.129"
> ext_gw2 = "xxx.xxx.xxx.3"
>
> # ftp ports
> ftp_serv = "{ 21, 2121, 50000:50100 }"
>
> icmp_types = "{ echoreq }"
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8 }"
> ftp_allowed_ip = "{ xxx.xxx.xxx.xxx }"
>
> # options
> set block-policy drop
> #set loginterface $ext_if
>
> # scrub
> scrub in all
> # nat
> nat on $ext_if1 inet from $int_if:network to any -> ($ext_if1)
> nat on $ext_if2 inet from $int_if:network to any -> ($ext_if2)
>
> # filter rules
> block all
> block in quick on $ext_if inet proto udp from any port 137:139 \
> to any port 137:139
> block log on $ext_if all
>
> pass quick on lo0 all
>
> block in quick on $ext_if from $priv_nets to any
> block out quick on $ext_if from any to $priv_nets
>
> pass out on $ext_if1 inet from $ext_if1 to any
> pass out on $ext_if2 inet from $ext_if2 to any
> pass out route-to ($ext_if2 $ext_gw2) inet from ($ext_if2) keep state
> pass out route-to ($ext_if1 $ext_gw1) inet from ($ext_if1) keep state
>
> # icmp rules
> pass in quick on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
> proto icmp from any to $ext_if1 icmp-type $icmp_types keep state
> pass in quick on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \
> proto icmp from any to $ext_if2 icmp-type $icmp_types keep state
> pass out quick inet proto icmp all keep state
>
> # for local network out
> pass in on $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state
>
> #ftp service
> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
> proto tcp from $ftp_allowed_ip to ($ext_if1) \
> port $ftp_serv flags S/SA keep state
>
> pass in on $ext_if2 reply-to ( $ext_if2 $ext_gw2 ) inet \
> proto tcp from $ftp_allowed_ip to ($ext_if2) \
> port $ftp_serv flags S/SA keep state
>
> pass out quick on $ext_if proto tcp all modulate state flags S/SA
> pass out quick on $ext_if proto { udp, icmp } all keep state
>
> =======-end of pf.conf ====================
>
> If I replace rule
> pass in on $ext_if1 reply-to ( $ext_if1 $ext_gw1 ) inet \
> proto tcp from $ftp_allowed_ip to ($ext_if1) \
> port $ftp_serv flags S/SA keep state
>
> to
> pass in on $ext_if1 inet \
> proto tcp from $ftp_allowed_ip to ($ext_if1) \
> port $ftp_serv flags S/SA keep state
>
> then ftp-server accessible from ISP1, but from ISP2 - no.
>
>
--
TJU13-ARIN
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4CC0AD05.90607>