[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF :: Passive FTP tracking

Hi all,
I've found a problem using passive FTP across a PF gateway (PF+NAT).
Strangely PF blocks last packets of the control connection.
This is the setup:
3.2-stable - - "make fetch" (lang/egcs/stable)
  |[int] - pass in/out all
[ext] - pass out all keep state
I've registered all packets with tcpdump -w on [int] and [ext] interfaces and 
saved on http://hacking.openbsd.it/pf/
What is the surprise ?
1) Using display filter "tcp.srcport == 21 or tcp.dstport == 21" with ethereal 
you'll see that on external interface the last 5 packets that say "download 
complete" are blocked by PF, infact they are missing on internal interface.
Why ? Is it a problem with too short state timeout ?
I'm using default settings.
2) If I use another application like Lynx instead of "ftp", used by "make 
fetch", I've no problem. OpenBSD "ftp" receives all the file, but after that 
freezes waiting for "download finished" packets on control connection, that 
are blocked by PF. (Also wget seems to be affected).
Probably other application, like Lynx, simply close sockets without waiting 
for such packets. Which is smarter ?
Could anyone try something with a -current setup ?