Re: AW: IPFilter 3.4.28

[Laurence Moore]

On Sat, 8 Jun 2002, Tobias Wigand wrote:

> tried it on openbsd 2.9 (with latest stable source). with ipf3428p.tgz
> ftp transfers with "port" work fine. with 3.4.28 connects stall after
> the "list" command send by my ftp client.
> i can provide more information if necessary. 
> wasn�t able to try on 3.0 and 3.1 by now but i will asap.
> 

Just to confirm using IP-Filter 3.4.28 on OpenBSD 2.7 and active ftp from
an NT4 Server (ftp from MS-DOS prompt) behind the OpenBSD system hangs on
a listing.

Originally had the following entry in /etc/ipnat.rules

        map tun0 0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp

but had to add

        map tun0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp

for the FTP Proxy within IP-Filter to be kicked into action however the
listing still fails. The ip-address of the NT4 server is 192.168.1.2.

Here's the output from ipnat -lv;

bash-2.04# ipnat -lv
List of active MAP/Redirect filters:
map tun0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map tun0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map tun0 192.168.0.0/16 -> 0.0.0.0/32 proxy port 7070 raudio/tcp
map tun0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
map tun0 192.168.0.0/16 -> 0.0.0.0/32
map tun1 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map tun1 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
map tun1 192.168.0.0/16 -> 0.0.0.0/32
map tun2 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map tun2 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
map tun2 192.168.0.0/16 -> 0.0.0.0/32
map tun3 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map tun3 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
map tun3 192.168.0.0/16 -> 0.0.0.0/32

List of active sessions:
MAP 192.168.1.11    <- -> aaa.bbb.ccc.ddd  [aaa.bbb.ccc.ddd]
        age 1170 use 0 sumd 0xbf22/0xbf22 pr 1 bkt 120/22 flags 0
        ifp tun0 bytes 336 pkts 6
MAP 192.168.1.2     1087  <- -> aaa.bbb.ccc.ddd  1087  [193.230.167.76 0]
        age 993 use 0 sumd 0xbf2b/0xbf2b pr 6 bkt 68/76 flags 201
        ifp tun0 bytes 0 pkts 0
MAP 192.168.1.2     1086  <- -> aaa.bbb.ccc.ddd  1086  [193.230.167.76 21]
        age 1170 use 0 sumd 0xbf2b/0xbf2b pr 6 bkt 108/116 flags 1
        ifp tun0 bytes 1532 pkts 27
        proxy ftp/6 use 5 flags 0
                proto 6 flags 0 bytes 923 pkts 15 data YES size 376
                state[0,0], sel[0,1]
                seq: off 0/3 min 0/11f6d
                ack: off 0/0 min 0/0
        FTP Proxy:
                passok: 0
        Client:
                seq 11f6e len 0 junk 0 cmds 3
                buf [PORT
192,168,1,2,4,63\015\012olden.com.au\015\012\000]
        Server:
                seq 9c86bae len 30 junk 0 cmds 5
                buf [200 PORT command successful.\015\012restrictions
apply.\015\012dress as your password.\015\012\000]

List of active host mappings:
192.168.1.2 -> 0.0.0.0 (use = 2 hv = 40)
192.168.1.11 -> 0.0.0.0 (use = 1 hv = 112)
bash-2.04#

I'm a little puzzled by the line with 192.168.1.11 as that is the
ip-address of the internal interface.

Cheers,

Larry.