On 22/12/05, eric <[EMAIL PROTECTED]> wrote: > Here's something strange. I'm trying to connect from a pf gateway to an ftp > server and it's failing in a very specific manner. Going through the pf > gateway works fine using passive mode, but from the gateway itself using > ftp(1) doesn't seem to work. > > Observe: > > $ ftp ftp.example.org > > [ login as anonymous ] > > ftp> ls > 229 Entering Extended Passive Mode (|||62283|) > 435 Can't build data connection: No such file or directory. > ftp> ls > 229 Entering Extended Passive Mode (|||50641|) > 150 Opening ASCII mode data connection for '/bin/ls'. > total 16 > drwxr-xr-x 10 1000 1000 512 Nov 15 15:10 OpenBSD > 226 Transfer complete. > > Why would I be getting a failed LIST the first time? This is very > reproducable: basically every second time a "dir" or "ls" will work. > > Here's my pf from the host connecting to the FTP server. The machine these > rules are from is 3.8-STABLE). > > > ## > > blah = "10.18.209.66" > > binat on $ext_if from 192.168.217.244 to any -> $blah > nat on $ext_if from any to any -> ($ext_if) > rdr on $wire_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > scrub out all no-df random-id max-mss 1440 fragment reassemble > scrub in all no-df min-ttl 2 fragment reassemble > block return log all label "any-block-log" > block drop log from <idiots> to any > block drop in log on ! em0 inet from 10.18.209.0/24 to any label > "em0-antispoof" > block drop in log on ! em0 inet from 10.18.209.48 to any label "em0-antispoof" > block drop in log on em0 inet6 from fe80::20d:56ff:fefa:3b8f to any label > "em0-antispoof" > block drop in log inet from 10.18.209.79 to any label "any-antispoof" > block drop in log inet from 10.18.209.48 to any label "any-antispoof" > block drop in log on ! rl0 inet from 192.168.217.240/28 to any label > "rl0-antispoof" > block drop in log inet from 192.168.217.241 to any label "any-antispoof" > block drop in log on rl0 inet6 from fe80::240:f4ff:fe71:8305 to any label > "rl0-antispoof" > pass out quick proto tcp from any port = ssh to any flags S/SA modulate state > queue(ssh_dfl, ssh_pri) > pass out quick inet proto tcp from any port = 3128 to any flags A/A keep > state queue http > pass in on em0 inet proto tcp from any port = ftp-data to (em0) user = 71 > flags S/SA keep state label "ftpproxy" > pass out quick proto tcp from any port = www to any flags A/A keep state > queue httplo > pass out quick proto tcp from any port = https to any flags S/SA modulate > state queue http > pass out quick proto tcp from any port = smtp to any flags S/SA modulate > state queue smtp > pass out quick proto tcp from any port = domain to any flags S/SA modulate > state queue dns_tcp > pass out quick proto tcp from any to any port = domain keep state queue > dns_tcp > pass out quick proto udp from any to any port = domain keep state queue > dns_udp > pass out quick proto udp from any to any port = ntp keep state queue dns_ntp > pass out quick proto tcp all modulate state queue(tcp_dfl, tcp_pri) > pass out quick proto udp all keep state queue udp > pass out quick inet proto icmp all keep state queue icmp > pass out quick inet6 proto ipv6-icmp all keep state queue icmp > pass out quick all queue default > block return-rst log proto tcp all flags /S queue default > block return-rst log proto tcp all flags A/A queue default > pass in on rl0 inet proto udp from any to any port = bootps keep state label > "rl0-bootps-in" > pass in on rl0 inet proto udp from 192.168.217.240/28 to 192.168.217.241 port > = domain keep state label "rl0-domain-udp-in" > pass in on rl0 inet proto tcp from 192.168.217.240/28 to 192.168.217.241 port > = domain modulate state label "rl0-domain-tcp-in" > pass in on rl0 inet proto udp from 192.168.217.240/28 to 192.168.217.241 port > = ntp keep state label "rl0-ntp-in" > pass in inet6 proto ipv6-icmp all icmp6-type toobig > pass in inet6 proto ipv6-icmp all icmp6-type paramprob > pass in inet6 proto ipv6-icmp all icmp6-type routeradv > pass in inet6 proto ipv6-icmp all icmp6-type neighbrsol > pass in inet6 proto ipv6-icmp all icmp6-type neighbradv > pass in log on rl0 inet6 proto ipv6-icmp all icmp6-type routersol > pass in log on rl0 inet6 proto ipv6-icmp all icmp6-type routeradv > pass in log inet6 proto ipv6-icmp all icmp6-type echoreq keep state > pass in inet proto icmp all icmp-type echoreq keep state > pass in proto tcp from any to any port = auth modulate state label > "any-identd-in" > pass in proto tcp from any to any port = smtp modulate state label > "any-smtp-in" > pass in quick inet proto tcp from 192.168.217.240/28 to ! 192.168.217.241 > flags S/SA modulate state > pass in quick inet proto tcp from 192.168.217.240/28 to ! 192.168.217.241 > keep state > pass in quick inet proto udp from 192.168.217.240/28 to ! 192.168.217.241 > keep state > pass in quick inet from 192.168.217.240/28 to ! 192.168.217.240/28 keep state > pass in quick inet proto tcp from 192.168.217.240/28 to 192.168.217.241 port > = ssh modulate state
Try changing rdr on $wire_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 to rdr proto tcp from any to any port 21 -> 127.0.0.1 port 8021 and don't forget to check that you indeed run an ftp-proxy. Cheers, Constantine.
