[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP clients behind PF can connect to ftp serves but cannot listfiles why?



[SNIP]
> > > > > rdr on $int_if proto tcp from any to any port
> > 21 -> 127.0.0.1:8021
> >  
> > > > 127.0.0.1:8021 stream tcp nowait root
> > /usr/libexec/ftp-proxy
> > > > ftp-proxy -n
> >  
> > > > pass in on $ext_if inet proto tcp from any to
> > $ext_if \
> > > > user proxy keep state 
> > 
> > I notcied that with the above rules internal clients
> > can do pasive
> > ftp fine, but active ftp wont work, pf drops the
> > packets from
> > the remote host from port 20 to a high port here.
> > I dont know quickly how to remedy this, any hints?
> 
> Get into logging and then provide us with some facts.
Okay, i only logged the blocked packets if you need more, please tell.
I tried to make an active ftp connection to ftp.openbsd.org
I am doing nat, here's the ouput from fstat | grep proxy:
proxy    ftp-proxy    851   wd /              2 drwxr-xr-x     512 r 
proxy ftp-proxy 851 0* internet stream tcp c19b24f0 127.0.0.1:8021 <->
10.1.1.10:2545
proxy ftp-proxy 851 1* internet stream tcp c19b24f0 127.0.0.1:8021 <->
10.1.1.10:2545
proxy ftp-proxy 851 2* internet stream tcp c19b24f0 127.0.0.1:8021 <->
10.1.1.10:2545
proxy ftp-proxy 851 3* unix dgram c19e3000 <-> c1938c40
proxy ftp-proxy 851 4* internet stream tcp c19b2b1c 82.161.169.153:56634
<-> 129.128.5.191:21
proxy    ftp-proxy    851    5* internet stream tcp c19b262c *:55674
the last line is the ftp_proxy waiting for a connection from 
ftp.openbsd.org on port 55674, but the syn packet is allrdy is 
dropped:
Output from pflog0:
4. 422299 rule 1/0(match): block in on wm0: IP (tos 0x0, ttl 242, id
58380, offset 0, flags [DF], length: 44, bad cksum d0ab (->2145)!)
129.128.5.191.20 > 82.161.169.153.55674: S [tcp sum ok]
693991520:693991520(0) win 8760 <mss 1460>
Any hints?
Bye,
Mipam.