[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FTP Client Problem



Hi all,

Do any of you have consistent problems connecting to Dell's FTP sites
through your OpenBSD firewall? I mean for months, not just a single day.

I always get the message "Connection closed by remote host." or "The FTP
session was terminated." right after login.
It works fine in Passive mode from the OpenBSD box directly.
I do not have problems connecting to other FTP hosts (openbsd, freebsd, ms,
aol, ...) from a LAN client, both Active and Passive connections work.

Our firewall is currently running 3.2-stable (i386) from Nov. 2002, but the
problem has existed since 3.1-release for us, *and* this is not an isolated
problem, it occurs on *all* OpenBSD firewalls I have deployed (about 6).

Below are inetd.conf (ftp-proxy entry only), pf.conf, and a tcpdump from
both an Active and a Passive mode connection.

Any help is highly appreciated.

-Jason

//
// ftp-proxy in inetd.conf
//

127.0.0.1:8081  stream  tcp     nowait  root    /usr/libexec/ftp-proxy
ftp-proxy -n -m 45000 -M 49999 -t 600


//
// pf.conf
//

# Clean up fragmented and abnormal packets
scrub in all

# temp pcAnywhere for ViDint
# vidint1
rdr on $ExtIF proto tcp from any to {MyIP-A}/32 port 5631 -> $ViDint1 port
5631
rdr on $ExtIF proto udp from any to {MyIP-A}/32 port 5632 -> $ViDint1 port
5632
# vidint2
rdr on $ExtIF proto tcp from any to {MyIP-B}/32 port 5631 -> $ViDint2 port
5631
rdr on $ExtIF proto udp from any to {MyIP-B}/32 port 5632 -> $ViDint2 port
5632

# Bimaps
rdr on $IntIF proto tcp from $PublicServer to any port 21 -> 127.0.0.1 port
8081
binat on $ExtIF from $PublicServer to any -> {MyIP-B}
binat on $ExtIF from $TestServer to any -> {MyIP-C}

# TFTP
rdr on $ExtIF proto udp from any to {MyIP-A}/32 port 69 -> $TFTPHost port 69

# FTP proxy
rdr on $IntIF proto tcp from any to any port 21 -> 127.0.0.1 port 8081

# standard NAT mappings
nat on $ExtIF from 192.168.0.0/24 to any -> {MyIP-A}

# allow IPSEC traffic
pass in  quick on $ExtIF proto udp from any to any port 500
pass in  quick on $ExtIF proto esp from any to any
pass out quick on $ExtIF proto esp from any to any
pass in  quick on enc0 all
pass out quick on enc0 all

# don't allow anyone to spoof non-routeable addresses
block in  quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs

# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ExtIF all

# allow internal machines
pass  in on lo0 all
pass  in on $IntIF all

# allow others to use public services
pass  in on $ExtIF inet proto tcp from any to $PublicServer port $Services
flags S/SA keep state

# allow DNS traffic
pass  in on $ExtIF proto tcp from any to $DNSServers port domain flags S/SA
keep state
pass  in on $ExtIF proto udp from any to $DNSServers port domain keep state

# allow VPN traffic (MS-PPTP)
pass  in on $ExtIF inet proto tcp from any to $VPNServer port 1723 flags
S/SA keep state
pass  in on $ExtIF inet proto gre from any to $VPNServer keep state

# allow ViDint client pcAnywhere
pass  in on $ExtIF proto tcp from any to { $ViDint1, $ViDint2 } port 5631
flags S/SA keep state
pass  in on $ExtIF proto udp from any to { $ViDint1, $ViDint2 } port 5632
keep state

# allow TFTP
pass in on $ExtIF proto udp from any to $TFTPHost port 69 keep state

# report closed identd for faster mail connections
block return-rst in on $ExtIF inet proto tcp from any to any port 113

# allow active FTP connection to ftp-proxy (45000-50000)
# switched to "user proxy" on 2/24/2003
#pass in on $ExtIF inet proto tcp from any to $ExtIF port 44999 >< 50000
keep state
pass in on $ExtIF inet proto tcp from any to $ExtIF user proxy keep state

# and let out-going traffic out and maintain state on established
connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
# block out on $ExtIF                 all
pass  out on $ExtIF inet proto tcp  all flags S/SA keep state
pass  out on $ExtIF inet proto udp  all            keep state
pass  out on $ExtIF inet proto icmp all            keep state

//traceroute 
# traceroute ftp.dell.com
traceroute to ftp.ins.dell.com (143.166.224.204), 64 hops max, 40 byte
packets
 1  216-12-13-1.cv.mvl.intelos.net (216.12.13.1)  9.864 ms  11.426 ms
13.201 ms
 2  1-104.atm-6-0.border-va.core.ntelos.net (216.12.22.145)  210.118 ms
315.801 ms  331.824 ms
 3  500.Serial3-7.GW4.DCA1.ALTER.NET (157.130.9.245)  17.22 ms  17.378 ms
17.470 ms
 4  522.at-2-0-0.CL1.DCA1.ALTER.NET (152.63.37.70)  17.47 ms  20.847 ms
14.288 ms
 5  0.so-0-0-0.TL1.DCA6.ALTER.NET (152.63.38.69)  20.887 ms  21.444 ms
19.230 ms
 6  0.so-6-0-0.TL1.HOU7.ALTER.NET (152.63.39.182)  54.342 ms  56.962 ms
54.935 ms
 7  0.so-7-0-0.CL1.AUS4.ALTER.NET (152.63.97.201)  66.711 ms  71.538 ms
70.952 ms
 8  525.ATM7-0.GW1.AUS3.ALTER.NET (152.63.101.73)  67.367 ms  62.558 ms
60.424 ms
 9  dell-gw.customer.ALTER.NET (157.130.136.10)  63.433 ms  65.762 ms
69.759 ms
10  * * *

//
// tcpdump
//
# tcpdump -i ep0 net 143.166.0.0/16
tcpdump: listening on ep0
# client using Active FTP
11:14:00.399535 {MyIP}.46697 > s3b-ftp.us.dell.com.ftp: S
2379701912:2379701912(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 1647223759 0> (DF)
11:14:00.470177 s3b-ftp.us.dell.com.ftp > {MyIP}.46697: S
1733017700:1733017700(0) ack 2379701913 win 17520 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
11:14:00.470450 {MyIP}.46697 > s3b-ftp.us.dell.com.ftp: . ack 1 win 17376
<nop,nop,timestamp 1647223759 0> (DF)
11:14:00.537331 s3b-ftp.us.dell.com.ftp > {MyIP}.46697: P 1:48(47) ack 1 win
17520 <nop,nop,timestamp 10678922 1647223759> (DF)
11:14:00.543068 {MyIP}.46697 > s3b-ftp.us.dell.com.ftp: P 1:17(16) ack 48
win 17376 <nop,nop,timestamp 1647223760 10678922> (DF)
11:14:00.618652 s3b-ftp.us.dell.com.ftp > {MyIP}.46697: P 48:120(72) ack 17
win 17504 <nop,nop,timestamp 10678923 1647223760> (DF)
11:14:00.623187 {MyIP}.46697 > s3b-ftp.us.dell.com.ftp: P 17:42(25) ack 120
win 17376 <nop,nop,timestamp 1647223760 10678923> (DF)
11:14:00.713161 s3b-ftp.us.dell.com.ftp > {MyIP}.46697: P 120:808(688) ack
42 win 17479 <nop,nop,timestamp 10678924 1647223760> (DF)
11:14:00.722053 {MyIP}.46697 > s3b-ftp.us.dell.com.ftp: F 42:42(0) ack 808
win 17376 <nop,nop,timestamp 1647223760 10678924> (DF)
11:14:00.792623 s3b-ftp.us.dell.com.ftp > {MyIP}.46697: F 1079:1079(0) ack
43 win 17479 <nop,nop,timestamp 10678924 1647223760> (DF)
11:14:00.792909 {MyIP}.46697 > s3b-ftp.us.dell.com.ftp: . ack 808 win 17376
<nop,nop,timestamp 1647223760 10678924> (DF)
11:14:00.796548 s3b-ftp.us.dell.com.ftp > {MyIP}.46697: P 808:1079(271) ack
43 win 17479 <nop,nop,timestamp 10678924 1647223760> (DF)
11:14:00.796743 {MyIP}.46697 > s3b-ftp.us.dell.com.ftp: R
2379701955:2379701955(0) win 0 (DF)
# Client using Passive FTP
11:14:25.085045 {MyIP}.49303 > s3b-ftp.us.dell.com.ftp: S
4126093659:4126093659(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 1647223809 0> (DF)
11:14:25.155796 s3b-ftp.us.dell.com.ftp > {MyIP}.49303: S
1740522070:1740522070(0) ack 4126093660 win 17520 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
11:14:25.156015 {MyIP}.49303 > s3b-ftp.us.dell.com.ftp: . ack 1 win 17376
<nop,nop,timestamp 1647223809 0> (DF)
11:14:25.226842 s3b-ftp.us.dell.com.ftp > {MyIP}.49303: P 1:48(47) ack 1 win
17520 <nop,nop,timestamp 10679169 1647223809> (DF)
11:14:25.240260 {MyIP}.49303 > s3b-ftp.us.dell.com.ftp: P 1:17(16) ack 48
win 17376 <nop,nop,timestamp 1647223809 10679169> (DF)
11:14:25.312200 s3b-ftp.us.dell.com.ftp > {MyIP}.49303: P 48:120(72) ack 17
win 17504 <nop,nop,timestamp 10679170 1647223809> (DF)
11:14:25.318857 {MyIP}.49303 > s3b-ftp.us.dell.com.ftp: P 17:42(25) ack 120
win 17376 <nop,nop,timestamp 1647223809 10679170> (DF)
11:14:25.405122 s3b-ftp.us.dell.com.ftp > {MyIP}.49303: P 120:808(688) ack
42 win 17479 <nop,nop,timestamp 10679170 1647223809> (DF)
11:14:25.408727 {MyIP}.49303 > s3b-ftp.us.dell.com.ftp: F 42:42(0) ack 808
win 17376 <nop,nop,timestamp 1647223809 10679170> (DF)
11:14:25.475759 s3b-ftp.us.dell.com.ftp > {MyIP}.49303: F 1079:1079(0) ack
43 win 17479 <nop,nop,timestamp 10679171 1647223809> (DF)
11:14:25.476040 {MyIP}.49303 > s3b-ftp.us.dell.com.ftp: . ack 808 win 17376
<nop,nop,timestamp 1647223809 10679170> (DF)
11:14:25.479711 s3b-ftp.us.dell.com.ftp > {MyIP}.49303: P 808:1079(271) ack
43 win 17479 <nop,nop,timestamp 10679171 1647223809> (DF)
11:14:25.479948 {MyIP}.49303 > s3b-ftp.us.dell.com.ftp: R
4126093702:4126093702(0) win 0 (DF)



Visit your host, monkey.org