Re: ftp-proxy problem using active ftp
Camiel, Thanks for all your help. It looks like it is something upstream, because all your hints check out. Today I tried to ssh externally to the OpenBSD firewall and what do you think; no packets arrive at the external interface. So it must be that damn IAS modem that is blocking everything. How on earth can they setup something like that? Cost me a day to find out (partially my fault of course). Thanks again. Nils -Original Message- From: Camiel Dobbelaar [mailto:[EMAIL PROTECTED] Sent: vrijdag 16 februari 2007 19:24 To: Reuvers, Nils Cc: misc@openbsd.org Subject: Re: ftp-proxy problem using active ftp On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote: > #1 client: PORT 192,168,1,56,9,96\r\n > #1 proxy: PORT 193,172,163,50,235,99\r\n 193.172.163.50 is the correct external IP ? Does the firewall have more then one external IP? > #1 server: 200 PORT command successful - not using PASV eh?\r\n > #1 active: server to client port 2400 via port 60259 > #1 client: NLST\r\n This looks fine. At the point where it says "active" it has inserted the rules. You can check those like this: # pfctl -sA -v ftp-proxy ftp-proxy/27568.13 # pfctl -a ftp-proxy/27568.13 -sr pass in quick inet proto tcp from 129.128.5.191 to 192.168.28.28 port = 58202 flags S/SA keep state (max 1) rtable 0 pass out quick inet proto tcp from 129.128.5.191 to 192.168.28.28 port = 58202 flags S/SA keep state (max 1) rtable 0 and with -sn for the nat rules. Do those look correct? > My PF log isn't showing anything useful regarding ftp. Make sure all the rules have the log option set, especially the block rules. You can also try tcpdump on the external interface to check if the SYN packets of the active connection are coming in. If nothing comes in, someone upstream may be blocking. -- Cam = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: ftp-proxy problem using active ftp
On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote: > #1 client: PORT 192,168,1,56,9,96\r\n > #1 proxy: PORT 193,172,163,50,235,99\r\n 193.172.163.50 is the correct external IP ? Does the firewall have more then one external IP? > #1 server: 200 PORT command successful - not using PASV eh?\r\n > #1 active: server to client port 2400 via port 60259 > #1 client: NLST\r\n This looks fine. At the point where it says "active" it has inserted the rules. You can check those like this: # pfctl -sA -v ftp-proxy ftp-proxy/27568.13 # pfctl -a ftp-proxy/27568.13 -sr pass in quick inet proto tcp from 129.128.5.191 to 192.168.28.28 port = 58202 flags S/SA keep state (max 1) rtable 0 pass out quick inet proto tcp from 129.128.5.191 to 192.168.28.28 port = 58202 flags S/SA keep state (max 1) rtable 0 and with -sn for the nat rules. Do those look correct? > My PF log isn't showing anything useful regarding ftp. Make sure all the rules have the log option set, especially the block rules. You can also try tcpdump on the external interface to check if the SYN packets of the active connection are coming in. If nothing comes in, someone upstream may be blocking. -- Cam
Re: ftp-proxy problem using active ftp
Hi Camiel,
Thanks for your answer. I've also tried other ftp sites (for instance
ftp.openbsd.org).
I've started ftp-proxy like this: sudo /usr/sbin/ftp-proxy -d -D7 -r
Then I connected to ftp.openbsd.org using anonymous account and Active
mode
listening on 127.0.0.1 port 8021
#1 accepted connection from 192.168.1.56
#1 FTP session 1/100 started: client 192.168.1.56 to server
129.128.5.191 via proxy 193.172.163.50
#1 server: 220-\r\n
#1 server: 220- Welcome to SunSITE Alberta\r\n
#1 server: 220-\r\n
#1 server: 220- at the University of Alberta, in Edmonton, Alberta,
Canada\r\n
#1 server: 220-\r\n
#1 server: 220-All connections to and transfers from this server are
logged. If \r\n
#1 server: 220-you do not like this policy, please disconnect now.\r\n
#1 server: 220-\r\n
#1 server: 220-You may want to grab the index file called "ls-lR.gz" in
/pub. It is \r\n
#1 server: 220-updated nightly with the contents of the ftp tree. \r\n
#1 server: 220-\r\n
#1 server: 220-If you have any questions, hints, or requests, please
email\r\n
#1 server: 220-\r\n
#1 server: 220- [EMAIL PROTECTED]
#1 server: 220-\r\n
#1 server: 220 \r\n
#1 client: USER anonymous\r\n
#1 server: 331 Who are you impersonating today?\r\n
#1 client: PASS [EMAIL PROTECTED]
#1 server: 230-\r\n
#1 server: 230- Welcome to Sunsite Alberta\r\n
#1 server: 230- Login Successful.\r\n
#1 server: 230 Your data rate unrestricted\r\n
#1 client: PORT 192,168,1,56,9,96\r\n
#1 proxy: PORT 193,172,163,50,235,99\r\n
#1 server: 200 PORT command successful - not using PASV eh?\r\n
#1 active: server to client port 2400 via port 60259
#1 client: NLST\r\n
And then it hangs
After closing the session I get:
#1 server: 425 Timeout establishing data connection - Broke your packet
filters again eh?\r\n
#1 client: QUIT\r\n
#1 server: 221 Goodbye.\r\n
#1 client close
#1 ending session
I also put the anchors before any other ruling. No luck though.
My PF log isn't showing anything useful regarding ftp.
I just installed a new openbsd 4.0 system and it has the same problem.
I install everything from CD
After halting and rebooting:
Create a user account with sudo privileges
Edit rc.conf to enable pf and enable ftp-proxy with -r option
Then modify the example pf.conf file, so that it fits my interfaces
Uncomment net.inet.ip.forwarding into=1 in /etc/sysctl.conf
Reboot my system
Now, in my book I should have a working system with active ftp support.
But I don't.
Am I missing something?
Nils
-Original Message-
From: Camiel Dobbelaar [mailto:[EMAIL PROTECTED]
Sent: vrijdag 16 februari 2007 12:59
To: Reuvers, Nils
Subject: Re: ftp-proxy problem using active ftp
Try to move the anchors as high as possible in their sections. (the nat
and rdr anchor first in the nat section; the normal anchor first in the
filter rule section).
Crank up the logging like this: ftp-proxy -d -D7 -r
Watch your pf logging as well.
Doesn't the bank app. (ABN AMRO?) use a weird port like 40 or 41 or so?
On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote:
> Hi all,
>
> I'm about to turn nuts over ftp-proxy. I would greatly appreciate any
> assistance. The problem is I can't get active FTP to work and I need
it
> for my clients to communicate with a bank. The clients are behind a pf
> firewall which is doing nat and firewalling for the whole internal
> subnet.
>
> Running OpenBSD 4.0 -stable -release
> I have taken the faq-example1 from /usr/share/pf and modified the
> interfaces and removed the port 80 redirect (since I do not have a
> webserver internally).
>
> /usr/sbin/ftp-proxy is running with -r
> #ps -xa
> 12876 ?? Is 0:00.06 /usr/sbin/ftp-proxy -r
>
> Passive FTP works instantly, but active does not. I do get a control
> connection, but it holds when I try to retrieve data.
>
> My pf.conf:
> # $OpenBSD: faq-example1,v 1.4 2006/06/16 17:26:59 jasper Exp $
> #
> # Firewall for Home or Small Office
> # http://www.openbsd.org/faq/pf/example1.html
> #
> # macros
> ext_if="pcn0"
> int_if="fxp0"
>
> icmp_types="echoreq"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> set skip on lo
>
> # scrub
> scrub in
>
> # nat/rdr
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
>
> rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>
> # filter rules
> block in
>
> pass out keep state
>
> anchor "ftp-proxy/*"
> antispoof quick for { lo $int_if }
>
> pass in inet proto icmp all icmp-type $icmp_types keep state
>
> pass quick on $int_if
>
> #end pf.conf
>
>
> Thanks.
>
> Nils Reuvers
>
>
>
=
>
> A disclaimer applies to this email and any attachments.
> Refer to http://www.sparkholland.com/emaildisclaimer for the full text
of this
> disclaimer.
ftp-proxy problem using active ftp
Hi all,
I'm about to turn nuts over ftp-proxy. I would greatly appreciate any
assistance. The problem is I can't get active FTP to work and I need it
for my clients to communicate with a bank. The clients are behind a pf
firewall which is doing nat and firewalling for the whole internal
subnet.
Running OpenBSD 4.0 -stable -release
I have taken the faq-example1 from /usr/share/pf and modified the
interfaces and removed the port 80 redirect (since I do not have a
webserver internally).
/usr/sbin/ftp-proxy is running with -r
#ps -xa
12876 ?? Is 0:00.06 /usr/sbin/ftp-proxy -r
Passive FTP works instantly, but active does not. I do get a control
connection, but it holds when I try to retrieve data.
My pf.conf:
# $OpenBSD: faq-example1,v 1.4 2006/06/16 17:26:59 jasper Exp $
#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#
# macros
ext_if="pcn0"
int_if="fxp0"
icmp_types="echoreq"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# filter rules
block in
pass out keep state
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in inet proto icmp all icmp-type $icmp_types keep state
pass quick on $int_if
#end pf.conf
Thanks.
Nils Reuvers
=
A disclaimer applies to this email and any attachments.
Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this
disclaimer.
