[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP Re-Direct via local FTP-Proxy does not work....



I think i found something....DNS....

The FTP site in order is ftp.nai.com
Which is seems, uses a round-robin or sorts to distribute load...

# ping ftp.nai.com
PING ftp.nai.speedera.net (63.218.7.139): 56 data bytes
64 bytes from 63.218.7.139: icmp_seq=0 ttl=54 time=177.028 ms
64 bytes from 63.218.7.139: icmp_seq=1 ttl=54 time=177.731 ms
64 bytes from 63.218.7.139: icmp_seq=2 ttl=54 time=177.035 ms
--- ftp.nai.speedera.net ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 177.028/177.264/177.731/0.587 ms
# ping ftp.nai.com
PING ftp.nai.speedera.net (63.209.221.236): 56 data bytes
64 bytes from 63.209.221.236: icmp_seq=0 ttl=52 time=102.102 ms
64 bytes from 63.209.221.236: icmp_seq=1 ttl=52 time=101.973 ms
64 bytes from 63.209.221.236: icmp_seq=2 ttl=52 time=102.034 ms
64 bytes from 63.209.221.236: icmp_seq=3 ttl=52 time=101.967 ms
64 bytes from 63.209.221.236: icmp_seq=4 ttl=52 time=102.015 ms
64 bytes from 63.209.221.236: icmp_seq=5 ttl=52 time=101.926 ms
--- ftp.nai.speedera.net ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 101.926/102.002/102.102/0.416 ms

You see the IP address changing...

The ISA server has it own DNS resolver address as well as the BSD box...but
they have not same DNS resolver...
It would perhaps help to set this identical...eeuh, no it doesnt, just
tried...

But, and that IS a differance with the former 2.7 box, that one was doing
DNS-resolving (forwarding/caching)
But then again, i did not use the ip address of that box as DNS resolver on
ISA..

Would it make sense to setup the new OBSD box as a DNS Forwarder/cache for
the ISA server you think and see if this
is perhaps the problem ? does it make sense i mean really :-)

 

-----Oorspronkelijk bericht-----
Van: forums [mailto:forum_(_at_)_vanleeuwen_(_dot_)_nl] 
Verzonden: woensdag 9 februari 2005 9:26
Aan: misc_(_at_)_openbsd_(_dot_)_org
Onderwerp: Re: FTP Re-Direct via local FTP-Proxy does not work....

I really do try to give as much info :-) 

But yes, with the former front-fw, based still on OBSD 2.7 it worked without
a problem.
I did no changes to the ISA server or clients. I just replaced the OBSD
front-fw with the 3.6 version.
When I put the 2.7 back in its place, it works again. but ofcourse, i dont
want the 2.7 as my front-fw.

Like I said, when i do a pfctl -d (disable the pf firewall) it works from
behind the ISA without a problem.
The moment I activate pf again (pfctl -e) it stops working. and the thing
is, the moment i activate pf, i dont see traffic flowing in anymore, like so
:

xl0 = internal nic

# pfctl -d
pf disabled
tcpdump -i xl0 port 20
tcpdump: listening on xl0
	<I start a FTP session in a client NOW>
09:12:32.767515 166.90.213.143.ftp-data > <ip back fw (ISA)>.38985: S
3742989947:3742989947(0) win 5840 <mss 1460,sackOK,timestamp 237723416
0,nop,wscale 0> (DF)
09:12:32.767763 <ip back fw (ISA)>.38985 > 166.90.213.143.ftp-data: S
2412179937:2412179937(0) ack 3742989948 win 16384 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
09:12:32.882812 166.90.213.143.ftp-data > <ip back fw (ISA)>.38985: . ack 1
win 5840 <nop,nop,timestamp 237723427 0> (DF)
09:12:32.885125 166.90.213.143.ftp-data > <ip back fw (ISA)>.38985: F
1575:1575(0) ack 1 win 5840 <nop,nop,timestamp 237723428 0> (DF)
09:12:32.885338 <ip back fw (ISA)>.38985 > 166.90.213.143.ftp-data: . ack 1
win 17520 <nop,nop,timestamp 7634375 237723428,nop,nop,sack 1 {1575:1576} >
09:12:32.885463 166.90.213.143.ftp-data > <ip back fw (ISA)>.38985: P
1449:1575(126) ack 1 win 5840 <nop,nop,timestamp 237723428 0> (DF)
09:12:32.885791 <ip back fw (ISA)>.38985 > 166.90.213.143.ftp-data: . ack 1
win 17520 <nop,nop,timestamp 7634375 237723428,nop,nop,sack 1 {1449:1576} >
09:12:32.891788 166.90.213.143.ftp-data > <ip back fw (ISA)>.38985: .
1:1449(1448) ack 1 win 5840 <nop,nop,timestamp 237723428 0> (DF)
09:12:32.893311 <ip back fw (ISA)>.38985 > 166.90.213.143.ftp-data: . ack
1576 win 17520 <nop,nop,timestamp 7634376 237723428,nop,nop,sack 1
{1449:1576} >
09:12:32.893535 <ip back fw (ISA)>.38985 > 166.90.213.143.ftp-data: F 1:1(0)
ack 1576 win 17520 <nop,nop,timestamp 7634376 237723428> 09:12:33.004490
166.90.213.143.ftp-data > <ip back fw (ISA)>.38985: . ack 2 win 5840
<nop,nop,timestamp 237723440 7634376> (DF) ^C
31152 packets received by filter
0 packets dropped by kernel

Now I activate pf and try again :
# pfctl -e
pf enabled
# tcpdump -i xl0 port 20
tcpdump: listening on xl0
	<I start a FTP session in a client NOW> ....

Nothing...no traffic is recorded on the XL0 at this time....

Now, i have the RDR PASS redirecting to the localhost (127.0.0.1) for the
ftp-proxy...
So, i was thinking, perhaps it does not arrive on XL0 anymore, because of
the RDR PASS, but it arrives on the LO0 (loopback device)

# tcpdump -i lo0
tcpdump: listening on lo0
	<I start a FTP session in a client NOW>

....

But nothing there as well...

The strange thing however, is that it IS comming in somewhere, as i do see
the process being started (when pf is running) I also see the traffic going
out in the external NIC and i see it getting back into the external
NIC...and thats it...

As i dont see where it is comming in at the moment I activate pf, i dont
know how to trace that either...

regards
Willem




-----Oorspronkelijk bericht-----
Van: Stefan Kell [mailto:skba_(_dot_)_opbsd_(_at_)_gmx_(_dot_)_de]
Verzonden: dinsdag 8 februari 2005 19:30
Aan: forums
CC: misc_(_at_)_openbsd_(_dot_)_org
Onderwerp: Re: FTP Re-Direct via local FTP-Proxy does not work....

Hello,

my I cite your original post:

>> to use a FTP Proxy to allow FTP client traffic trough. It works on my 
>> former bsd box, but that is still running under ipfw :-(

and you did have that ISA-server working with whatever bsd, and you did
configure your client so that he is allowed to use ftp (see microsoft
technet) and nothing has changed in the configuration.

Sorry I am not able to read your mind ;-) Please be specific in your
questions and mention all circumstances.

Regards

Stefan Kell

On Tue, 8 Feb 2005, forums wrote:

> Follow up :
>
> I replaced the cross cable between the back/front fw with a hub and 
> placed my laptop on that hub as well to see if i get a connection via 
> FTP without the ISA in-between.
>
> and that works...
>
> so, for some reason the ISA doesn't like it when the pf sits inbetween 
> the internet and him in regards to FTP traffic...(like i said, when i 
> disable pf, it seems the ISA is ok with FTP traffic again...
>
> doesnt explain why I see outgoing traffic on the outside nic but not 
> on the inside...but I am getting closer i think...
>
> why ISA ?...integration into Active Directory makes live easier for my
> collegues...:-) never had this with squid....
> %_(_at_)_$@#_(_at_)_!#$!$@!#$ if you know what i mean...
>
>
>
>
>
>
> -----Oorspronkelijk bericht-----
> Van: Stefan Kell [mailto:skba_(_dot_)_opbsd_(_at_)_gmx_(_dot_)_de]
> Verzonden: maandag 7 februari 2005 21:32
> Aan: forums
> CC: misc_(_at_)_openbsd_(_dot_)_org
> Onderwerp: Re: FTP Re-Direct via local FTP-Proxy does not work....
>
> Hi,
>
> hm, is ext_if connected directly to the internet, I mean does it have 
> a public IP-Adresse, which can be connected to from the outside world?
> If not ftp-proxy cannot work because it sends it's own ip-address to 
> the ftp-server as destination for the data-connection. And this 
> doesn't work if it is
> 192.168.1.1 for example.
>
> Regars
>
> Stefan Kell
>
> On Mon, 7 Feb 2005, forums wrote:
>
> > Hi,
> >
> > when I start a FTP session from a client, and then do
> >
> > #ps -aux | grep ftp-proxy
> >
> > I get
> > proxy     2461  0.0  0.1   180   620 ??  Is     5:35PM    0:00.00
> ftp-proxy
> >
> > So, it does start....
> >
> > but my client never gets the FTP site and the process is gone after 
> > a minute or so.
> >
> > Checking /etc/group....proxy is user 71 so thats correct...
> > pf comes up with that number itself, as i give just the name :
> >
> > pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user 
> > proxy flags S/SA keep state
> >
> > so, it must kinda be a pf block rule somewhere then i think....this 
> > is what i have at the moment :
> >
> > 	# Make FTP traffic be re-routed to a local ftp proxy
> > 	rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021
> >
> > 	# Here the real rules begin
> > 	#
> > 	block in  all
> > 	block out all
> > 	block return-rst in log on $ext_if inet proto tcp from any to any
> > port=113
> >
> > 	pass quick on { lo } all
> > 	antispoof quick for { $int_if1 } inet
> >
> > 	# Allow traffic from and to Back-Firewall via $int_if1
> > 	pass in  on $int_if1 from <ip back fw> to any
> > 	pass out on $int_if1 from any to <ip back fw>
> >
> > 	# Allow traffic out towards internet ($ext_if) but with a state
> > 	pass out on $ext_if proto { tcp, udp, icmp } all modulate state
> flags
> > S/SA
> >
> > 	# Allow incoming FTP traffic from the internet when gestart vanuit
> de
> > lokale ftp-proxy only
> > 	pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user 
> > proxy flags S/SA keep state
> >
> > regards
> > Willem
> >
> > -----Oorspronkelijk bericht-----
> > Van: Stefan Kell [mailto:skba_(_dot_)_opbsd_(_at_)_gmx_(_dot_)_de]
> > Verzonden: maandag 7 februari 2005 17:11
> > Aan: forums
> > CC: misc_(_at_)_openbsd_(_dot_)_org
> > Onderwerp: Re: FTP Re-Direct via local FTP-Proxy does not work....
> >
> > Hi,
> >
> > you are sure that ftp-proxy runs as user proxy? Your rule:
> >
> > > pass in log on fxp0 inet proto tcp from any port = ftp-data to
> > > (fxp0) user = 71 flags S/SA keep state
> >
> > specifies that the listener on port 20 mus run with userid 71 (proxy).
> >
> > What gives "ps -aux|grep ftp"?
> >
> > > I dont get really why the ' port 20 to ($ext_if)'  is there?
> >
> > Because the ftp-server on the other side will open a data-connection 
> > from himself to port 20 on your firewall. That is the normal way for
> active ftp.
> > If you switch to passive mode than you will open the data-connection 
> > to the other side.
> >
> > Regards
> >
> > Stefan Kell
> >
> > On Mon, 7 Feb 2005, forums wrote:
> >
> > > Sorry, the pfctl -s rules was a bit unreadable...
> > >
> > > -----Oorspronkelijk bericht-----
> > > Van: forums [mailto:forum_(_at_)_vanleeuwen_(_dot_)_nl]
> > > Verzonden: maandag 7 februari 2005 14:24
> > > Aan: misc_(_at_)_openbsd_(_dot_)_org
> > > Onderwerp: FTP Re-Direct via local FTP-Proxy does not work....
> > >
> > > Hai,
> > >
> > > I always seem to have trouble getting FTP to work through the 
> > > Firewall. I am setting up a new Firewall based on OpenBSD 3.6 and 
> > > according to the MAN / FAQ i need to use a FTP Proxy to allow FTP 
> > > client
> > traffic trough.
> > > It works on my former bsd box, but that is still running under 
> > > ipfw :-(
> > >
> > >
> > > So, in /etc/pf.conf I have added :
> > >
> > > rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021 
> > > (where
> > > $int_if1 is my internal NIC)
> > >
> > > in /etc/inetd.conf I activated the FTP-PROXY with  :
> > >
> > > 127.0.0.1:8021 stream tcp       nowait  root    /usr/libexec/ftp-proxy
> > > ftp-proxy
> > > (not -n as i do not do NAT at this system)
> > >
> > > Then I also added into /etc/pf.conf :
> > >
> > > pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) 
> > > user proxy flags S/SA keep state
> > >
> > > to allow the incoming traffic from 'active' FTP connection to get 
> > > back into the system...
> > >
> > > But, no sigar....I do see (using active FTP the traffic getting 
> > > back into the firewall, but thats it) When I disable pf (pfctl -d) 
> > > then it runs like a charm, so it must be a PF block somewhere...
> > >
> > > ------------------------
> > > I dont get really why the ' port 20 to ($ext_if)'  is there? 
> > > Should it not get to the localhost (lo0) ?
> > > I tried that, but that made no differance...
> > > ----------------------
> > >
> > > pfctl -s rules :
> > >
> > > xl0 internal nic
> > > fxp0 external nic
> > >
> > > scrub in all fragment reassemble
> > > block drop in all
> > > block drop out all
> > > block return-rst in log on fxp0 inet proto tcp from any to any 
> > > port = auth pass quick on lo all block drop in quick on ! xl0 inet 
> > > from <internal range> to any block drop in quick inet from 
> > > <internal nic
> > > ip> to any pass in on xl0 inet from <internal proxy server ip> to 
> > > ip> any
> > > pass out on xl0 inet from any to <internal proxy server ip> pass 
> > > out on fxp0 proto tcp all flags S/SA modulate state pass out on 
> > > fxp0 proto udp all keep state pass out on fxp0 proto icmp all keep 
> > > state pass in log on fxp0 inet proto tcp from any port = ftp-data 
> > > to
> > > (fxp0) user =
> > > 71 flags S/SA keep state
> > >
> > > anyone know what the problem might be ?
> > >
> > > regards
> > > Willem



Visit your host, monkey.org