[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can't even do an ls on a FTP server located on the WAN

On Tue, Feb 15, 2005 at 07:58:05PM +0100, Nicolas wrote:
> > 
> > Post your pf.conf.
> Unfortunately, the floppy disk is broken on my bastion. Since the
> pf.conf is around 15ko, I'll avoid typing it... ;-)
  can you ftp/scp it off and just post on the www somewhere?
  that sometimes seems to fly for things very large.
> Feb 15 19:57:10.770100 rule 0/0(match): block in on ep0:
> > S 3830247271:3830247271(0) win
> 5840 <mss 1420,sackOK,timestamp[|tcp} (DF)
> Feb 15 19:57:13.768532 rule 0/0(match): block in on ep0:
> > S 3830247271:3830247271(0) win
> 5840 <mss 1420,sackOK,timestamp[|tcp] (DF)
  that looks like they're pulling an ident lookup on you.
$ grep 113 /etc/services
auth            113/tcp         authentication tap ident
  don't know offhand if that's where it is dying., given the timestamps, 
  i don't think so, as they pull an indent on you upon the initial 
  connection, not upon your LIST.
> Here's what appear on the screen, also:
> Feb 15 19:58:36 bastion ftp-proxy[28303]: connect() failed (No route to
> host)
  so if ftp-proxy can talk to from
> Here's what written in /var/log/daemon:
> Feb 15 19:57:10 bastion ftp-proxy[28303]: accepted connection from
> to
> Feb 15 19:58:36 bastion ftp-proxy[28303] connect() failed (No route to
> host)
  i'm wondering why it is trying to make a connection out on a 
  different socket pair?  i'm thinking that however pf is setup, it is
  probably allowing out the first connection from ftp-proxy; that it is
  failing on that second part makes me wonder about what connection
  really was blocked; would have to be an outgoing one from ftp-proxy
  to somewhere.  if it was incoming, and was blocked, ftp-proxy wouldn't
  try to see if there's something in the /var/log/pflog you skipped?
> Here's a line for ftp-proxy in /etc/inetd.conf:
> stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
> frp-proxy -n -D 3
  for active mode connections, you would need to allow in pf, say, 
  'from tcp <remote ftp IP> port 20 to $intIf:network user proxy'., but
  that rule is only for active connections, doesn't matter for passive.
> However, here's the rule I added for the FTP:
> pass in quick on $name_itf_ext inet proto tcp from port 20 to
> ($name_itf_ext) user proxy flags S/SA keep state
  ok, that's that..  are you blocking everything by default on 
  bastion, not just inbound?  is there a chance that the connection
  from ftp-proxy back to your LAN was blocked?
[ openbsd 3.6 GENERIC ( jan 13 ) // i386 ]