From owner-freebsd-pf@FreeBSD.ORG Sat Nov 19 08:31:08 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DB6116A41F for ; Sat, 19 Nov 2005 08:31:08 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0C5E43D45 for ; Sat, 19 Nov 2005 08:31:07 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jAJ8Uj9O005379 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sat, 19 Nov 2005 09:30:45 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jAJ8UbfH032414; Sat, 19 Nov 2005 09:30:37 +0100 (MET) Date: Sat, 19 Nov 2005 09:30:35 +0100 From: Daniel Hartmeier To: Steven Schoch Message-ID: <20051119083035.GB28611@insomnia.benzedrine.cx> References: <6650332b0511181609s1540c083v2faf8f2f6d2e3790@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6650332b0511181609s1540c083v2faf8f2f6d2e3790@mail.gmail.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Still have ftp-proxy problems - Any help? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2005 08:31:08 -0000 On Fri, Nov 18, 2005 at 04:09:27PM -0800, Steven Schoch wrote: > I may not be the only one with this problem. On Mon, 22 Nov 2004 "J. > Martin Petersen" had a similar problem I found in > this message: > http://docs.freebsd.org/cgi/mid.cgi?1101152753.41a241f113332 > > But there were no answers. Any new answers? Depends on whether it's the same problem or not, you didn't supply the same diagnostics. In Martin's case, the problem was that the ftp-proxy couldn't establish the data connection to the client, most likely due to his ruleset. The ftp-proxy sends the TCP SYN to the client, passing by rule pass on $int_if all and not creating state. Then the client's SYN+ACK comes back in on $int_if, passing by rule pass log on $int_if from "10.1.4.50" modulate state here the SYN+ACK does get modulated and create state. This doesn't work. If you want to modulate sequence numbers, you have to do it on the initial SYN (and create state). In short, any ruleset that creates state on non-first packets is highly suspicious. I have no idea why Martin doesn't create state on so many rules, then just throws in a 'modulate state' on that particular rule. In general: a) don't pass without creating state, search for 'pass' rules which don't also have 'keep state' b) don't create state on non-first packets, search for 'pass' rules (applying to TCP connections) which don't contains 'flags S/SA' It could be an entirely different problem in your case. Martin did supply many relevant logs, you could do the same :) Daniel