[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ftp-proxy and pf



I realize that this is not a pf problem, but I also believe that
readership
here has the expertise to solve this problem.
I am trying to use ftp-proxy with pf, it works for passive mode, but
fails for active mode.
What follows (slightly edited) is a conversation from
a Windows XP machine (source.thinkage.ca) using the cygwin ftp which 
logs on anonymous by its self. (I get the same using Microsoft's ftp)
~~$ ftp -d ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
220-
220-                 Welcome to SunSITE Alberta
220-
220-     at the University of Alberta, in Edmonton, Alberta, Canada
220-
220-All connections to and transfers from this server are logged. If
220-you do not like this policy, please disconnect now.
220-
220-You may want to grab the index file called "ls-lR.gz" in /pub.  It
is
220-updated nightly with the contents of the ftp tree.
220-
220-    If you have any questions, hints, or requests, please email
220-
220-            [email protected]
220-
220
---> USER anonymous
331 Who are you impersonating today?
---> PASS XXXX
230-
230-    Welcome to Sunsite Alberta
230- Login Successful.
230 Your data rate unrestricted
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
---> PORT 192,102,11,8,12,170
200 PORT command successful - not using PASV eh?
---> LIST
150 Have a Gorilla.
There is never a response back from the "LIST" command
This generated a pflog of (The port numbers are not quite right
the output was gathered over several attempts)
"outside" is the IP address of the outside of the firewall
and "gateway" is the address of the inside of the firewall
"source" is where the ftp request started
the redirected conversation to ftp-proxy is not
visible because I could not put a log on the "rdr"
pass out on ste0: outside.thinkage.ca.58157 >
openbsd.sunsite.ualberta.ca.ftp: S 2560781418:2560781418(0) win 16384
<mss 1460,nop,nop,sackOK,[|tcp]> (DF)
pass in on ste0: openbsd.sunsite.ualberta.ca.ftp-data >
outside.thinkage.ca.50622: S 236919090:236919090(0) win 8760 <mss 1460>
(DF)
pass out on fxp0: gateway.thinkage.ca.59222 > source.thinkage.ca.5003: S
2724013282:2724013282(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]>
pass out on ste0: outside.thinkage.ca.54441 >
openbsd.sunsite.ualberta.ca.ftp-data: F 3086174700:3086174700(0) ack
211028790 win 17520 (DF)
pass out on ste0: outside.thinkage.ca.50622 >
openbsd.sunsite.ualberta.ca.ftp-data: F 3961007529:3961007529(0) ack
236919496 win 17520 (DF)
The trouble is the XP computer is waiting for packets from
openbsd.sunsite.ualberta.ca on port ftp-data and is ignoring those from
gateway.thinkage.ca on port 59222. And I think the ftp client is right
to ignore these packets.
Out of curiosity I also tried running the ftp-proxy as root. Then the
port is correct, put the packet is still from the
wrong address and the packets are still ignored.
pass out on ste0: outside.thinkage.ca.60139 >
openbsd.sunsite.ualberta.ca.ftp: S 3173265442:3173265442(0) win 16384
<mss 1460,nop,nop,sackOK,[|tcp]> (DF)
pass in on ste0: openbsd.sunsite.ualberta.ca.ftp-data >
outside.thinkage.ca.53159: S 4267916550:4267916550(0) win 8760 <mss
1460> (DF)
pass out on fxp0: gateway.thinkage.ca.ftp-data >
source.thinkage.ca.5002: S 2502655302:2502655302(0) win 16384 <mss
1460,nop,nop,sackOK,[|tcp]>
pass out on ste0: outside.thinkage.ca.51487 >
openbsd.sunsite.ualberta.ca.ftp-data: F 2857467745:2857467745(0) ack
4225448704 win 17520 (DF)
pass out on ste0: outside.thinkage.ca.53159 >
openbsd.sunsite.ualberta.ca.ftp-data: F 3120064161:3120064161(0) ack
4267916956 win 17520 (DF)
I don't find any information on ftp-proxy not working for active mode,
so I am doing something wrong, but I don't know what.