[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

issue with ftp-proxy and IP aliases

My home network has a firewall with two IP addresses, one is the primary
external address used with NAT for my internal network as a whole, the second
is an external address used with binat for a particular machine.

The IP address for the binat is numerically lower (.38) than the main external
address (.100, same subnet).

The /etc/hostname.if file contains .100 as the primary address and .38 as
an alias.

I run ftp-proxy with -n on the firewall.  Specifically, stream tcp       nowait  root    /usr/libexec/ftp-proxy ftp-proxy -n -w -r

The three key pf.conf rules are:

   nat on $ext_if from $INT_NET to any -> <.100 address>
   rdr on $int_if proto tcp from any to any port ftp -> port 8021
   binat on $ext_if from <special machine ip> to any -> <.38 address>

Up until OpenBSD 3.3, I had no problems with this setup.  Now, however,
I run into the following problem when attempting to FTP from any machine
on the internal network other than the binatted machine:

If a passive FTP connection is used, the data connection comes from the
numerically lower external IP address on the firewall (.38) rather than
the primary IP (.100), which means that passive FTP no longer works.  The
control connection still comes from .100 as expected, but there's a
mismatch between the data and control connections.

Has anyone encountered this problem before?  Is there a solution that
doesn't require making the lower IP the primary address?

It appears to me that the problem is that where .38 used to be listed
as an alias and as the second IP on the interface, it is now listed
as the first IP on the interface and ifconfig doesn't identify either
IP as an "alias".

Jim Lippard        lippard_(_at_)_discord_(_dot_)_org       http://www.discord.org/
GPG Key ID: 0xF8D42CFE