[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PF :: Passive FTP tracking
I've found a problem using passive FTP across a PF gateway (PF+NAT).
Strangely PF blocks last packets of the control connection.
This is the setup:
3.2-stable - 10.0.0.3 - "make fetch" (lang/egcs/stable)
|[int] 10.0.0.1 - pass in/out all
[ext] 10.1.0.1 - pass out all keep state
I've registered all packets with tcpdump -w on [int] and [ext] interfaces and
saved on http://hacking.openbsd.it/pf/
What is the surprise ?
1) Using display filter "tcp.srcport == 21 or tcp.dstport == 21" with ethereal
you'll see that on external interface the last 5 packets that say "download
complete" are blocked by PF, infact they are missing on internal interface.
Why ? Is it a problem with too short state timeout ?
I'm using default settings.
2) If I use another application like Lynx instead of "ftp", used by "make
fetch", I've no problem. OpenBSD "ftp" receives all the file, but after that
freezes waiting for "download finished" packets on control connection, that
are blocked by PF. (Also wget seems to be affected).
Probably other application, like Lynx, simply close sockets without waiting
for such packets. Which is smarter ?
Could anyone try something with a -current setup ?