[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Weird Issue with FTP and pf(8)



On 22/12/05, eric <eric-list-openbsd-misc_(_at_)_catastrophe_(_dot_)_net> wrote:
> Here's something strange. I'm trying to connect from a pf gateway to an ftp
> server and it's failing in a very specific manner. Going through the pf
> gateway works fine using passive mode, but from the gateway itself using
> ftp(1) doesn't seem to work.
>
> Observe:
>
> $ ftp ftp.example.org
>
> [ login as anonymous ]
>
> ftp> ls
> 229 Entering Extended Passive Mode (|||62283|)
> 435 Can't build data connection: No such file or directory.
> ftp> ls
> 229 Entering Extended Passive Mode (|||50641|)
> 150 Opening ASCII mode data connection for '/bin/ls'.
> total 16
> drwxr-xr-x  10 1000  1000  512 Nov 15 15:10 OpenBSD
> 226 Transfer complete.
>
> Why would I be getting a failed LIST the first time? This is very
> reproducable: basically every second time a "dir" or "ls" will work.
>
> Here's my pf from the host connecting to the FTP server. The machine these
> rules are from is 3.8-STABLE).
>
>
> ##
>
> blah = "10.18.209.66"
>
> binat  on $ext_if from 192.168.217.244 to any -> $blah
> nat   on $ext_if from any to any -> ($ext_if)
> rdr   on $wire_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> scrub out all no-df random-id max-mss 1440 fragment reassemble
> scrub in all no-df min-ttl 2 fragment reassemble
> block return log all label "any-block-log"
> block drop log from <idiots> to any
> block drop in log on ! em0 inet from 10.18.209.0/24 to any label "em0-antispoof"
> block drop in log on ! em0 inet from 10.18.209.48 to any label "em0-antispoof"
> block drop in log on em0 inet6 from fe80::20d:56ff:fefa:3b8f to any label "em0-antispoof"
> block drop in log inet from 10.18.209.79 to any label "any-antispoof"
> block drop in log inet from 10.18.209.48 to any label "any-antispoof"
> block drop in log on ! rl0 inet from 192.168.217.240/28 to any label "rl0-antispoof"
> block drop in log inet from 192.168.217.241 to any label "any-antispoof"
> block drop in log on rl0 inet6 from fe80::240:f4ff:fe71:8305 to any label "rl0-antispoof"
> pass out quick proto tcp from any port = ssh to any flags S/SA modulate state queue(ssh_dfl, ssh_pri)
> pass out quick inet proto tcp from any port = 3128 to any flags A/A keep state queue http
> pass in on em0 inet proto tcp from any port = ftp-data to (em0) user = 71 flags S/SA keep state label "ftpproxy"
> pass out quick proto tcp from any port = www to any flags A/A keep state queue httplo
> pass out quick proto tcp from any port = https to any flags S/SA modulate state queue http
> pass out quick proto tcp from any port = smtp to any flags S/SA modulate state queue smtp
> pass out quick proto tcp from any port = domain to any flags S/SA modulate state queue dns_tcp
> pass out quick proto tcp from any to any port = domain keep state queue dns_tcp
> pass out quick proto udp from any to any port = domain keep state queue dns_udp
> pass out quick proto udp from any to any port = ntp keep state queue dns_ntp
> pass out quick proto tcp all modulate state queue(tcp_dfl, tcp_pri)
> pass out quick proto udp all keep state queue udp
> pass out quick inet proto icmp all keep state queue icmp
> pass out quick inet6 proto ipv6-icmp all keep state queue icmp
> pass out quick all queue default
> block return-rst log proto tcp all flags /S queue default
> block return-rst log proto tcp all flags A/A queue default
> pass in on rl0 inet proto udp from any to any port = bootps keep state label "rl0-bootps-in"
> pass in on rl0 inet proto udp from 192.168.217.240/28 to 192.168.217.241 port = domain keep state label "rl0-domain-udp-in"
> pass in on rl0 inet proto tcp from 192.168.217.240/28 to 192.168.217.241 port = domain modulate state label "rl0-domain-tcp-in"
> pass in on rl0 inet proto udp from 192.168.217.240/28 to 192.168.217.241 port = ntp keep state label "rl0-ntp-in"
> pass in inet6 proto ipv6-icmp all icmp6-type toobig
> pass in inet6 proto ipv6-icmp all icmp6-type paramprob
> pass in inet6 proto ipv6-icmp all icmp6-type routeradv
> pass in inet6 proto ipv6-icmp all icmp6-type neighbrsol
> pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
> pass in log on rl0 inet6 proto ipv6-icmp all icmp6-type routersol
> pass in log on rl0 inet6 proto ipv6-icmp all icmp6-type routeradv
> pass in log inet6 proto ipv6-icmp all icmp6-type echoreq keep state
> pass in inet proto icmp all icmp-type echoreq keep state
> pass in proto tcp from any to any port = auth modulate state label "any-identd-in"
> pass in proto tcp from any to any port = smtp modulate state label "any-smtp-in"
> pass in quick inet proto tcp from 192.168.217.240/28 to ! 192.168.217.241 flags S/SA modulate state
> pass in quick inet proto tcp from 192.168.217.240/28 to ! 192.168.217.241 keep state
> pass in quick inet proto udp from 192.168.217.240/28 to ! 192.168.217.241 keep state
> pass in quick inet from 192.168.217.240/28 to ! 192.168.217.240/28 keep state
> pass in quick inet proto tcp from 192.168.217.240/28 to 192.168.217.241 port = ssh modulate state

Try changing

rdr   on $wire_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

to

rdr proto tcp from any to any port 21 -> 127.0.0.1 port 8021

and don't forget to check that you indeed run an ftp-proxy.

Cheers,
Constantine.



Visit your host, monkey.org