Date: Sat, 19 Nov 2005 09:30:35 +0100 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Steven Schoch <schoch-freebsd.org@starnet.com> Cc: freebsd-pf@freebsd.org Subject: Re: Still have ftp-proxy problems - Any help? Message-ID: <20051119083035.GB28611@insomnia.benzedrine.cx> In-Reply-To: <6650332b0511181609s1540c083v2faf8f2f6d2e3790@mail.gmail.com> References: <6650332b0511181609s1540c083v2faf8f2f6d2e3790@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 18, 2005 at 04:09:27PM -0800, Steven Schoch wrote: > I may not be the only one with this problem. On Mon, 22 Nov 2004 "J. > Martin Petersen" <jmp@alvorlig.dk> had a similar problem I found in > this message: > http://docs.freebsd.org/cgi/mid.cgi?1101152753.41a241f113332 > > But there were no answers. Any new answers? Depends on whether it's the same problem or not, you didn't supply the same diagnostics. In Martin's case, the problem was that the ftp-proxy couldn't establish the data connection to the client, most likely due to his ruleset. The ftp-proxy sends the TCP SYN to the client, passing by rule pass on $int_if all and not creating state. Then the client's SYN+ACK comes back in on $int_if, passing by rule pass log on $int_if from "10.1.4.50" modulate state here the SYN+ACK does get modulated and create state. This doesn't work. If you want to modulate sequence numbers, you have to do it on the initial SYN (and create state). In short, any ruleset that creates state on non-first packets is highly suspicious. I have no idea why Martin doesn't create state on so many rules, then just throws in a 'modulate state' on that particular rule. In general: a) don't pass without creating state, search for 'pass' rules which don't also have 'keep state' b) don't create state on non-first packets, search for 'pass' rules (applying to TCP connections) which don't contains 'flags S/SA' It could be an entirely different problem in your case. Martin did supply many relevant logs, you could do the same :) Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051119083035.GB28611>