[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP Re-Direct via local FTP-Proxy does not work....



I really do try to give as much info :-) 

But yes, with the former front-fw, based still on OBSD 2.7 it worked without
a problem.
I did no changes to the ISA server or clients. I just replaced the OBSD
front-fw with the 3.6 version.
When I put the 2.7 back in its place, it works again. but ofcourse, i dont
want the 2.7 as my front-fw.

Like I said, when i do a pfctl -d (disable the pf firewall) it works from
behind the ISA without a problem.
The moment I activate pf again (pfctl -e) it stops working. and the thing
is, the moment i activate pf, i dont see
traffic flowing in anymore, like so :

xl0 = internal nic

# pfctl -d
pf disabled
tcpdump -i xl0 port 20
tcpdump: listening on xl0
	<I start a FTP session in a client NOW>
09:12:32.767515 166.90.213.143.ftp-data > <ip back fw (ISA)>.38985: S
3742989947:3742989947(0) win 5840 <mss 1460,sackOK,timestamp 237723416
0,nop,wscale 0> (DF)
09:12:32.767763 <ip back fw (ISA)>.38985 > 166.90.213.143.ftp-data: S
2412179937:2412179937(0) ack 3742989948 win 16384 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
09:12:32.882812 166.90.213.143.ftp-data > <ip back fw (ISA)>.38985: . ack 1
win 5840 <nop,nop,timestamp 237723427 0> (DF)
09:12:32.885125 166.90.213.143.ftp-data > <ip back fw (ISA)>.38985: F
1575:1575(0) ack 1 win 5840 <nop,nop,timestamp 237723428 0> (DF)
09:12:32.885338 <ip back fw (ISA)>.38985 > 166.90.213.143.ftp-data: . ack 1
win 17520 <nop,nop,timestamp 7634375 237723428,nop,nop,sack 1 {1575:1576} >
09:12:32.885463 166.90.213.143.ftp-data > <ip back fw (ISA)>.38985: P
1449:1575(126) ack 1 win 5840 <nop,nop,timestamp 237723428 0> (DF)
09:12:32.885791 <ip back fw (ISA)>.38985 > 166.90.213.143.ftp-data: . ack 1
win 17520 <nop,nop,timestamp 7634375 237723428,nop,nop,sack 1 {1449:1576} >
09:12:32.891788 166.90.213.143.ftp-data > <ip back fw (ISA)>.38985: .
1:1449(1448) ack 1 win 5840 <nop,nop,timestamp 237723428 0> (DF)
09:12:32.893311 <ip back fw (ISA)>.38985 > 166.90.213.143.ftp-data: . ack
1576 win 17520 <nop,nop,timestamp 7634376 237723428,nop,nop,sack 1
{1449:1576} >
09:12:32.893535 <ip back fw (ISA)>.38985 > 166.90.213.143.ftp-data: F 1:1(0)
ack 1576 win 17520 <nop,nop,timestamp 7634376 237723428>
09:12:33.004490 166.90.213.143.ftp-data > <ip back fw (ISA)>.38985: . ack 2
win 5840 <nop,nop,timestamp 237723440 7634376> (DF)
^C
31152 packets received by filter
0 packets dropped by kernel

Now I activate pf and try again :
# pfctl -e
pf enabled
# tcpdump -i xl0 port 20
tcpdump: listening on xl0
	<I start a FTP session in a client NOW>
....

Nothing...no traffic is recorded on the XL0 at this time....

Now, i have the RDR PASS redirecting to the localhost (127.0.0.1) for the
ftp-proxy...
So, i was thinking, perhaps it does not arrive on XL0 anymore, because of
the RDR PASS, but it arrives on
the LO0 (loopback device)

# tcpdump -i lo0
tcpdump: listening on lo0
	<I start a FTP session in a client NOW>

....

But nothing there as well...

The strange thing however, is that it IS comming in somewhere, as i do see
the process being started (when pf is running)
I also see the traffic going out in the external NIC and i see it getting
back into the external NIC...and thats it...

As i dont see where it is comming in at the moment I activate pf, i dont
know how to trace that either...

regards
Willem




-----Oorspronkelijk bericht-----
Van: Stefan Kell [mailto:skba_(_dot_)_opbsd_(_at_)_gmx_(_dot_)_de] 
Verzonden: dinsdag 8 februari 2005 19:30
Aan: forums
CC: misc_(_at_)_openbsd_(_dot_)_org
Onderwerp: Re: FTP Re-Direct via local FTP-Proxy does not work....

Hello,

my I cite your original post:

>> to use a FTP Proxy to allow FTP client traffic trough. It works on my 
>> former bsd box, but that is still running under ipfw :-(

and you did have that ISA-server working with whatever bsd, and you did
configure your client so that he is allowed to use ftp (see microsoft
technet) and nothing has changed in the configuration.

Sorry I am not able to read your mind ;-) Please be specific in your
questions and mention all circumstances.

Regards

Stefan Kell

On Tue, 8 Feb 2005, forums wrote:

> Follow up :
>
> I replaced the cross cable between the back/front fw with a hub and 
> placed my laptop on that hub as well to see if i get a connection via 
> FTP without the ISA in-between.
>
> and that works...
>
> so, for some reason the ISA doesn't like it when the pf sits inbetween 
> the internet and him in regards to FTP traffic...(like i said, when i 
> disable pf, it seems the ISA is ok with FTP traffic again...
>
> doesnt explain why I see outgoing traffic on the outside nic but not 
> on the inside...but I am getting closer i think...
>
> why ISA ?...integration into Active Directory makes live easier for my
> collegues...:-) never had this with squid....
> %_(_at_)_$@#_(_at_)_!#$!$@!#$ if you know what i mean...
>
>
>
>
>
>
> -----Oorspronkelijk bericht-----
> Van: Stefan Kell [mailto:skba_(_dot_)_opbsd_(_at_)_gmx_(_dot_)_de]
> Verzonden: maandag 7 februari 2005 21:32
> Aan: forums
> CC: misc_(_at_)_openbsd_(_dot_)_org
> Onderwerp: Re: FTP Re-Direct via local FTP-Proxy does not work....
>
> Hi,
>
> hm, is ext_if connected directly to the internet, I mean does it have 
> a public IP-Adresse, which can be connected to from the outside world? 
> If not ftp-proxy cannot work because it sends it's own ip-address to 
> the ftp-server as destination for the data-connection. And this 
> doesn't work if it is
> 192.168.1.1 for example.
>
> Regars
>
> Stefan Kell
>
> On Mon, 7 Feb 2005, forums wrote:
>
> > Hi,
> >
> > when I start a FTP session from a client, and then do
> >
> > #ps -aux | grep ftp-proxy
> >
> > I get
> > proxy     2461  0.0  0.1   180   620 ??  Is     5:35PM    0:00.00
> ftp-proxy
> >
> > So, it does start....
> >
> > but my client never gets the FTP site and the process is gone after 
> > a minute or so.
> >
> > Checking /etc/group....proxy is user 71 so thats correct...
> > pf comes up with that number itself, as i give just the name :
> >
> > pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user 
> > proxy flags S/SA keep state
> >
> > so, it must kinda be a pf block rule somewhere then i think....this 
> > is what i have at the moment :
> >
> > 	# Make FTP traffic be re-routed to a local ftp proxy
> > 	rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021
> >
> > 	# Here the real rules begin
> > 	#
> > 	block in  all
> > 	block out all
> > 	block return-rst in log on $ext_if inet proto tcp from any to any
> > port=113
> >
> > 	pass quick on { lo } all
> > 	antispoof quick for { $int_if1 } inet
> >
> > 	# Allow traffic from and to Back-Firewall via $int_if1
> > 	pass in  on $int_if1 from <ip back fw> to any
> > 	pass out on $int_if1 from any to <ip back fw>
> >
> > 	# Allow traffic out towards internet ($ext_if) but with a state
> > 	pass out on $ext_if proto { tcp, udp, icmp } all modulate state
> flags
> > S/SA
> >
> > 	# Allow incoming FTP traffic from the internet when gestart vanuit
> de
> > lokale ftp-proxy only
> > 	pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user 
> > proxy flags S/SA keep state
> >
> > regards
> > Willem
> >
> > -----Oorspronkelijk bericht-----
> > Van: Stefan Kell [mailto:skba_(_dot_)_opbsd_(_at_)_gmx_(_dot_)_de]
> > Verzonden: maandag 7 februari 2005 17:11
> > Aan: forums
> > CC: misc_(_at_)_openbsd_(_dot_)_org
> > Onderwerp: Re: FTP Re-Direct via local FTP-Proxy does not work....
> >
> > Hi,
> >
> > you are sure that ftp-proxy runs as user proxy? Your rule:
> >
> > > pass in log on fxp0 inet proto tcp from any port = ftp-data to
> > > (fxp0) user = 71 flags S/SA keep state
> >
> > specifies that the listener on port 20 mus run with userid 71 (proxy).
> >
> > What gives "ps -aux|grep ftp"?
> >
> > > I dont get really why the ' port 20 to ($ext_if)'  is there?
> >
> > Because the ftp-server on the other side will open a data-connection 
> > from himself to port 20 on your firewall. That is the normal way for
> active ftp.
> > If you switch to passive mode than you will open the data-connection 
> > to the other side.
> >
> > Regards
> >
> > Stefan Kell
> >
> > On Mon, 7 Feb 2005, forums wrote:
> >
> > > Sorry, the pfctl -s rules was a bit unreadable...
> > >
> > > -----Oorspronkelijk bericht-----
> > > Van: forums [mailto:forum_(_at_)_vanleeuwen_(_dot_)_nl]
> > > Verzonden: maandag 7 februari 2005 14:24
> > > Aan: misc_(_at_)_openbsd_(_dot_)_org
> > > Onderwerp: FTP Re-Direct via local FTP-Proxy does not work....
> > >
> > > Hai,
> > >
> > > I always seem to have trouble getting FTP to work through the 
> > > Firewall. I am setting up a new Firewall based on OpenBSD 3.6 and 
> > > according to the MAN / FAQ i need to use a FTP Proxy to allow FTP 
> > > client
> > traffic trough.
> > > It works on my former bsd box, but that is still running under 
> > > ipfw :-(
> > >
> > >
> > > So, in /etc/pf.conf I have added :
> > >
> > > rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021 
> > > (where
> > > $int_if1 is my internal NIC)
> > >
> > > in /etc/inetd.conf I activated the FTP-PROXY with  :
> > >
> > > 127.0.0.1:8021 stream tcp       nowait  root    /usr/libexec/ftp-proxy
> > > ftp-proxy
> > > (not -n as i do not do NAT at this system)
> > >
> > > Then I also added into /etc/pf.conf :
> > >
> > > pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) 
> > > user proxy flags S/SA keep state
> > >
> > > to allow the incoming traffic from 'active' FTP connection to get 
> > > back into the system...
> > >
> > > But, no sigar....I do see (using active FTP the traffic getting 
> > > back into the firewall, but thats it) When I disable pf (pfctl -d) 
> > > then it runs like a charm, so it must be a PF block somewhere...
> > >
> > > ------------------------
> > > I dont get really why the ' port 20 to ($ext_if)'  is there? 
> > > Should it not get to the localhost (lo0) ?
> > > I tried that, but that made no differance...
> > > ----------------------
> > >
> > > pfctl -s rules :
> > >
> > > xl0 internal nic
> > > fxp0 external nic
> > >
> > > scrub in all fragment reassemble
> > > block drop in all
> > > block drop out all
> > > block return-rst in log on fxp0 inet proto tcp from any to any 
> > > port = auth pass quick on lo all block drop in quick on ! xl0 inet 
> > > from <internal range> to any block drop in quick inet from 
> > > <internal nic
> > > ip> to any pass in on xl0 inet from <internal proxy server ip> to 
> > > ip> any
> > > pass out on xl0 inet from any to <internal proxy server ip> pass 
> > > out on fxp0 proto tcp all flags S/SA modulate state pass out on 
> > > fxp0 proto udp all keep state pass out on fxp0 proto icmp all keep 
> > > state pass in log on fxp0 inet proto tcp from any port = ftp-data 
> > > to
> > > (fxp0) user =
> > > 71 flags S/SA keep state
> > >
> > > anyone know what the problem might be ?
> > >
> > > regards
> > > Willem



Visit your host, monkey.org