[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Weird Issue with FTP and pf(8)

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Weird Issue with FTP and pf(8)
From: eric <eric-list-openbsd-misc_(_at_)_catastrophe_(_dot_)_net>
Date: Thu, 22 Dec 2005 14:57:59 -0600
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
Organization: Catastrophe.Net <http://www.catastrophe.net/>

Here's something strange. I'm trying to connect from a pf gateway to an ftp
server and it's failing in a very specific manner. Going through the pf
gateway works fine using passive mode, but from the gateway itself using
ftp(1) doesn't seem to work.

Observe:

$ ftp ftp.example.org

[ login as anonymous ]

ftp> ls
229 Entering Extended Passive Mode (|||62283|)
435 Can't build data connection: No such file or directory.
ftp> ls
229 Entering Extended Passive Mode (|||50641|)
150 Opening ASCII mode data connection for '/bin/ls'.
total 16
drwxr-xr-x  10 1000  1000  512 Nov 15 15:10 OpenBSD
226 Transfer complete.

Why would I be getting a failed LIST the first time? This is very
reproducable: basically every second time a "dir" or "ls" will work.

Here's my pf from the host connecting to the FTP server. The machine these
rules are from is 3.8-STABLE).


##

blah = "10.18.209.66"

binat  on $ext_if from 192.168.217.244 to any -> $blah
nat   on $ext_if from any to any -> ($ext_if)
rdr   on $wire_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
scrub out all no-df random-id max-mss 1440 fragment reassemble
scrub in all no-df min-ttl 2 fragment reassemble
block return log all label "any-block-log"
block drop log from <idiots> to any
block drop in log on ! em0 inet from 10.18.209.0/24 to any label "em0-antispoof"
block drop in log on ! em0 inet from 10.18.209.48 to any label "em0-antispoof"
block drop in log on em0 inet6 from fe80::20d:56ff:fefa:3b8f to any label "em0-antispoof"
block drop in log inet from 10.18.209.79 to any label "any-antispoof"
block drop in log inet from 10.18.209.48 to any label "any-antispoof"
block drop in log on ! rl0 inet from 192.168.217.240/28 to any label "rl0-antispoof"
block drop in log inet from 192.168.217.241 to any label "any-antispoof"
block drop in log on rl0 inet6 from fe80::240:f4ff:fe71:8305 to any label "rl0-antispoof"
pass out quick proto tcp from any port = ssh to any flags S/SA modulate state queue(ssh_dfl, ssh_pri)
pass out quick inet proto tcp from any port = 3128 to any flags A/A keep state queue http
pass in on em0 inet proto tcp from any port = ftp-data to (em0) user = 71 flags S/SA keep state label "ftpproxy"
pass out quick proto tcp from any port = www to any flags A/A keep state queue httplo
pass out quick proto tcp from any port = https to any flags S/SA modulate state queue http
pass out quick proto tcp from any port = smtp to any flags S/SA modulate state queue smtp
pass out quick proto tcp from any port = domain to any flags S/SA modulate state queue dns_tcp
pass out quick proto tcp from any to any port = domain keep state queue dns_tcp
pass out quick proto udp from any to any port = domain keep state queue dns_udp
pass out quick proto udp from any to any port = ntp keep state queue dns_ntp
pass out quick proto tcp all modulate state queue(tcp_dfl, tcp_pri)
pass out quick proto udp all keep state queue udp
pass out quick inet proto icmp all keep state queue icmp
pass out quick inet6 proto ipv6-icmp all keep state queue icmp
pass out quick all queue default
block return-rst log proto tcp all flags /S queue default
block return-rst log proto tcp all flags A/A queue default
pass in on rl0 inet proto udp from any to any port = bootps keep state label "rl0-bootps-in"
pass in on rl0 inet proto udp from 192.168.217.240/28 to 192.168.217.241 port = domain keep state label "rl0-domain-udp-in"
pass in on rl0 inet proto tcp from 192.168.217.240/28 to 192.168.217.241 port = domain modulate state label "rl0-domain-tcp-in"
pass in on rl0 inet proto udp from 192.168.217.240/28 to 192.168.217.241 port = ntp keep state label "rl0-ntp-in"
pass in inet6 proto ipv6-icmp all icmp6-type toobig
pass in inet6 proto ipv6-icmp all icmp6-type paramprob
pass in inet6 proto ipv6-icmp all icmp6-type routeradv
pass in inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
pass in log on rl0 inet6 proto ipv6-icmp all icmp6-type routersol
pass in log on rl0 inet6 proto ipv6-icmp all icmp6-type routeradv
pass in log inet6 proto ipv6-icmp all icmp6-type echoreq keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in proto tcp from any to any port = auth modulate state label "any-identd-in"
pass in proto tcp from any to any port = smtp modulate state label "any-smtp-in"
pass in quick inet proto tcp from 192.168.217.240/28 to ! 192.168.217.241 flags S/SA modulate state
pass in quick inet proto tcp from 192.168.217.240/28 to ! 192.168.217.241 keep state
pass in quick inet proto udp from 192.168.217.240/28 to ! 192.168.217.241 keep state
pass in quick inet from 192.168.217.240/28 to ! 192.168.217.240/28 keep state
pass in quick inet proto tcp from 192.168.217.240/28 to 192.168.217.241 port = ssh modulate state

Follow-Ups:
- Re: Weird Issue with FTP and pf(8)
  - From: Constantine A. Murenin

Prev by Date: Re: Unable to build Gateway route
Next by Date: Re: Unable to build Gateway route
Previous by thread: Re: Unable to build Gateway route
Next by thread: Re: Weird Issue with FTP and pf(8)
Index(es):
- Date
- Thread

Visit your host, monkey.org