On Tue, Aug 30, 2011 at 11:38 PM, fqui nonez <[email protected]> wrote: > Hello > > I have a ftpd server box, OBSD-4.9, and pflog shows: > > Aug 29 10:11:03.520900 rule 3/(match) pass in on rl0: > 190.87.195.241.2732 > 192.168.5.2.21: S 2008995709:2008995709(0) win > 65535 <mss 1452,nop,nop,sackOK> > Aug 29 10:15:52.825409 rule 3/(match) pass in on rl0: > 190.87.195.241.3190 > 192.168.5.2.21: S 409025537:409025537(0) win > 65535 <mss 1452,nop,nop,sackOK> > Aug 29 10:27:40.085461 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.2732: FP 2719210498:2719210554(56) ack 2008995823 win > 17424 (DF) [tos 0x10] > Aug 29 10:28:44.085510 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10] > Aug 29 10:29:48.085560 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10] > Aug 29 10:30:52.085653 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10] > Aug 29 10:31:56.085655 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10] > Aug 29 10:32:29.475695 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.3190: FP 2719185758:2719185814(56) ack 409025651 win > 17424 [tos 0x10] > Aug 29 10:33:00.085705 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10] > Aug 29 10:33:33.475738 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10] > Aug 29 10:34:04.085762 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10] > Aug 29 10:34:37.475788 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10] > Aug 29 10:35:08.085806 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.2732: R 57:57(0) ack 1 win 0 (DF) [tos 0x10] > Aug 29 10:35:41.475843 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10] > Aug 29 10:36:45.475901 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10] > Aug 29 10:37:49.475947 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10] > Aug 29 10:38:53.476001 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10] > Aug 29 10:39:57.476044 rule 1/(match) block out on rl0: 192.168.5.2.21 >> 190.87.195.241.3190: R 57:57(0) ack 1 win 0 [tos 0x10] > > pf rules are: > > set skip on lo > block in log all > block out log all > pass out log quick on rl0 > pass in log quick on rl0 proto tcp from any to port {20 21 22} > antispoof quick log for rl0 > pass # to establish keep-state > > It look for me, that somebody send code over port 21, then ftpd > respond over port 21, and pf stops sftp! > I have seen that normal behaviour of ftpd is logged on random ports; > as effect of ftp_proxy. > > Is it happening something weird here?
The FTP protocol itself is weird. Most (all?) modern FTP clients now include SFTP/SCP. I convinced a client to switch to that a few years ago, and their customers are still using it to this day (chrooted with no login shell of course). If you must use FTP you are always going to have problems firewalling and troubleshooting whether someones client is set to active/passive, or whether they're also behind a firewall. Just make the switch and wash your hands of that protocol. :-) -Bryan
