Re: ftp-proxy problem using active ftp
Camiel, Thanks for all your help. It looks like it is something upstream, because all your hints check out. Today I tried to ssh externally to the OpenBSD firewall and what do you think; no packets arrive at the external interface. So it must be that damn IAS modem that is blocking everything. How on earth can they setup something like that? Cost me a day to find out (partially my fault of course). Thanks again. Nils -Original Message- From: Camiel Dobbelaar [mailto:[EMAIL PROTECTED] Sent: vrijdag 16 februari 2007 19:24 To: Reuvers, Nils Cc: misc@openbsd.org Subject: Re: ftp-proxy problem using active ftp On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote: > #1 client: PORT 192,168,1,56,9,96\r\n > #1 proxy: PORT 193,172,163,50,235,99\r\n 193.172.163.50 is the correct external IP ? Does the firewall have more then one external IP? > #1 server: 200 PORT command successful - not using PASV eh?\r\n > #1 active: server to client port 2400 via port 60259 > #1 client: NLST\r\n This looks fine. At the point where it says "active" it has inserted the rules. You can check those like this: # pfctl -sA -v ftp-proxy ftp-proxy/27568.13 # pfctl -a ftp-proxy/27568.13 -sr pass in quick inet proto tcp from 129.128.5.191 to 192.168.28.28 port = 58202 flags S/SA keep state (max 1) rtable 0 pass out quick inet proto tcp from 129.128.5.191 to 192.168.28.28 port = 58202 flags S/SA keep state (max 1) rtable 0 and with -sn for the nat rules. Do those look correct? > My PF log isn't showing anything useful regarding ftp. Make sure all the rules have the log option set, especially the block rules. You can also try tcpdump on the external interface to check if the SYN packets of the active connection are coming in. If nothing comes in, someone upstream may be blocking. -- Cam = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: ftp-proxy problem using active ftp
On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote: > #1 client: PORT 192,168,1,56,9,96\r\n > #1 proxy: PORT 193,172,163,50,235,99\r\n 193.172.163.50 is the correct external IP ? Does the firewall have more then one external IP? > #1 server: 200 PORT command successful - not using PASV eh?\r\n > #1 active: server to client port 2400 via port 60259 > #1 client: NLST\r\n This looks fine. At the point where it says "active" it has inserted the rules. You can check those like this: # pfctl -sA -v ftp-proxy ftp-proxy/27568.13 # pfctl -a ftp-proxy/27568.13 -sr pass in quick inet proto tcp from 129.128.5.191 to 192.168.28.28 port = 58202 flags S/SA keep state (max 1) rtable 0 pass out quick inet proto tcp from 129.128.5.191 to 192.168.28.28 port = 58202 flags S/SA keep state (max 1) rtable 0 and with -sn for the nat rules. Do those look correct? > My PF log isn't showing anything useful regarding ftp. Make sure all the rules have the log option set, especially the block rules. You can also try tcpdump on the external interface to check if the SYN packets of the active connection are coming in. If nothing comes in, someone upstream may be blocking. -- Cam
Re: ftp-proxy problem using active ftp
Hi Camiel, Thanks for your answer. I've also tried other ftp sites (for instance ftp.openbsd.org). I've started ftp-proxy like this: sudo /usr/sbin/ftp-proxy -d -D7 -r Then I connected to ftp.openbsd.org using anonymous account and Active mode listening on 127.0.0.1 port 8021 #1 accepted connection from 192.168.1.56 #1 FTP session 1/100 started: client 192.168.1.56 to server 129.128.5.191 via proxy 193.172.163.50 #1 server: 220-\r\n #1 server: 220- Welcome to SunSITE Alberta\r\n #1 server: 220-\r\n #1 server: 220- at the University of Alberta, in Edmonton, Alberta, Canada\r\n #1 server: 220-\r\n #1 server: 220-All connections to and transfers from this server are logged. If \r\n #1 server: 220-you do not like this policy, please disconnect now.\r\n #1 server: 220-\r\n #1 server: 220-You may want to grab the index file called "ls-lR.gz" in /pub. It is \r\n #1 server: 220-updated nightly with the contents of the ftp tree. \r\n #1 server: 220-\r\n #1 server: 220-If you have any questions, hints, or requests, please email\r\n #1 server: 220-\r\n #1 server: 220- [EMAIL PROTECTED] #1 server: 220-\r\n #1 server: 220 \r\n #1 client: USER anonymous\r\n #1 server: 331 Who are you impersonating today?\r\n #1 client: PASS [EMAIL PROTECTED] #1 server: 230-\r\n #1 server: 230- Welcome to Sunsite Alberta\r\n #1 server: 230- Login Successful.\r\n #1 server: 230 Your data rate unrestricted\r\n #1 client: PORT 192,168,1,56,9,96\r\n #1 proxy: PORT 193,172,163,50,235,99\r\n #1 server: 200 PORT command successful - not using PASV eh?\r\n #1 active: server to client port 2400 via port 60259 #1 client: NLST\r\n And then it hangs After closing the session I get: #1 server: 425 Timeout establishing data connection - Broke your packet filters again eh?\r\n #1 client: QUIT\r\n #1 server: 221 Goodbye.\r\n #1 client close #1 ending session I also put the anchors before any other ruling. No luck though. My PF log isn't showing anything useful regarding ftp. I just installed a new openbsd 4.0 system and it has the same problem. I install everything from CD After halting and rebooting: Create a user account with sudo privileges Edit rc.conf to enable pf and enable ftp-proxy with -r option Then modify the example pf.conf file, so that it fits my interfaces Uncomment net.inet.ip.forwarding into=1 in /etc/sysctl.conf Reboot my system Now, in my book I should have a working system with active ftp support. But I don't. Am I missing something? Nils -Original Message- From: Camiel Dobbelaar [mailto:[EMAIL PROTECTED] Sent: vrijdag 16 februari 2007 12:59 To: Reuvers, Nils Subject: Re: ftp-proxy problem using active ftp Try to move the anchors as high as possible in their sections. (the nat and rdr anchor first in the nat section; the normal anchor first in the filter rule section). Crank up the logging like this: ftp-proxy -d -D7 -r Watch your pf logging as well. Doesn't the bank app. (ABN AMRO?) use a weird port like 40 or 41 or so? On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote: > Hi all, > > I'm about to turn nuts over ftp-proxy. I would greatly appreciate any > assistance. The problem is I can't get active FTP to work and I need it > for my clients to communicate with a bank. The clients are behind a pf > firewall which is doing nat and firewalling for the whole internal > subnet. > > Running OpenBSD 4.0 -stable -release > I have taken the faq-example1 from /usr/share/pf and modified the > interfaces and removed the port 80 redirect (since I do not have a > webserver internally). > > /usr/sbin/ftp-proxy is running with -r > #ps -xa > 12876 ?? Is 0:00.06 /usr/sbin/ftp-proxy -r > > Passive FTP works instantly, but active does not. I do get a control > connection, but it holds when I try to retrieve data. > > My pf.conf: > # $OpenBSD: faq-example1,v 1.4 2006/06/16 17:26:59 jasper Exp $ > # > # Firewall for Home or Small Office > # http://www.openbsd.org/faq/pf/example1.html > # > # macros > ext_if="pcn0" > int_if="fxp0" > > icmp_types="echoreq" > > # options > set block-policy return > set loginterface $ext_if > > set skip on lo > > # scrub > scrub in > > # nat/rdr > nat on $ext_if from !($ext_if) -> ($ext_if:0) > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > > rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 > > # filter rules > block in > > pass out keep state > > anchor "ftp-proxy/*" > antispoof quick for { lo $int_if } > > pass in inet proto icmp all icmp-type $icmp_types keep state > > pass quick on $int_if > > #end pf.conf > > > Thanks. > > Nils Reuvers > > > = > > A disclaimer applies to this email and any attachments. > Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this > disclaimer.
ftp-proxy problem using active ftp
Hi all, I'm about to turn nuts over ftp-proxy. I would greatly appreciate any assistance. The problem is I can't get active FTP to work and I need it for my clients to communicate with a bank. The clients are behind a pf firewall which is doing nat and firewalling for the whole internal subnet. Running OpenBSD 4.0 -stable -release I have taken the faq-example1 from /usr/share/pf and modified the interfaces and removed the port 80 redirect (since I do not have a webserver internally). /usr/sbin/ftp-proxy is running with -r #ps -xa 12876 ?? Is 0:00.06 /usr/sbin/ftp-proxy -r Passive FTP works instantly, but active does not. I do get a control connection, but it holds when I try to retrieve data. My pf.conf: # $OpenBSD: faq-example1,v 1.4 2006/06/16 17:26:59 jasper Exp $ # # Firewall for Home or Small Office # http://www.openbsd.org/faq/pf/example1.html # # macros ext_if="pcn0" int_if="fxp0" icmp_types="echoreq" # options set block-policy return set loginterface $ext_if set skip on lo # scrub scrub in # nat/rdr nat on $ext_if from !($ext_if) -> ($ext_if:0) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 # filter rules block in pass out keep state anchor "ftp-proxy/*" antispoof quick for { lo $int_if } pass in inet proto icmp all icmp-type $icmp_types keep state pass quick on $int_if #end pf.conf Thanks. Nils Reuvers = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.