2011/9/1 Bryan Irvine <[email protected]>: > On Tue, Aug 30, 2011 at 11:38 PM, fqui nonez <[email protected]> wrote: >> Hello >> >> I have a ftpd server box, OBSD-4.9, and pflog shows: >> >> Aug 29 10:11:03.520900 rule 3/(match) pass in on rl0: >> 190.87.195.241.2732 > 192.168.5.2.21: S 2008995709:2008995709(0) win >> 65535 <mss 1452,nop,nop,sackOK> >> Aug 29 10:15:52.825409 rule 3/(match) pass in on rl0: >> 190.87.195.241.3190 > 192.168.5.2.21: S 409025537:409025537(0) win >> 65535 <mss 1452,nop,nop,sackOK> >> Aug 29 10:27:40.085461 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.2732: FP 2719210498:2719210554(56) ack 2008995823 win >> 17424 (DF) [tos 0x10] >> Aug 29 10:28:44.085510 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10] >> Aug 29 10:29:48.085560 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10] >> Aug 29 10:30:52.085653 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10] >> Aug 29 10:31:56.085655 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10] >> Aug 29 10:32:29.475695 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.3190: FP 2719185758:2719185814(56) ack 409025651 win >> 17424 [tos 0x10] >> Aug 29 10:33:00.085705 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10] >> Aug 29 10:33:33.475738 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10] >> Aug 29 10:34:04.085762 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10] >> Aug 29 10:34:37.475788 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10] >> Aug 29 10:35:08.085806 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.2732: R 57:57(0) ack 1 win 0 (DF) [tos 0x10] >> Aug 29 10:35:41.475843 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10] >> Aug 29 10:36:45.475901 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10] >> Aug 29 10:37:49.475947 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10] >> Aug 29 10:38:53.476001 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10] >> Aug 29 10:39:57.476044 rule 1/(match) block out on rl0: 192.168.5.2.21 >>> 190.87.195.241.3190: R 57:57(0) ack 1 win 0 [tos 0x10] >> >> pf rules are: >> >> set skip on lo >> block in log all >> block out log all >> pass out log quick on rl0 >> pass in log quick on rl0 proto tcp from any to port {20 21 22} >> antispoof quick log for rl0 >> pass # to establish keep-state >> >> It look for me, that somebody send code over port 21, then ftpd
Thanks to all for the answers. this is a typo error; it should say "ftpd"; it is only anonymous access. >> respond over port 21, and pf stops sftp! <------------- ftpd here It seems that ftpd should not respond over port 21, because ftp-proxy is on charge of connection. >> I have seen that normal behaviour of ftpd is logged on random ports; >> as effect of ftp_proxy. >> >> Is it happening something weird here? > > The FTP protocol itself is weird. > > Most (all?) modern FTP clients now include SFTP/SCP. I convinced a > client to switch to that a few years ago, and their customers are > still using it to this day (chrooted with no login shell of course). > If you must use FTP you are always going to have problems firewalling > and troubleshooting whether someones client is set to active/passive, > or whether they're also behind a firewall. Just make the switch and > wash your hands of that protocol. :-) > > -Bryan > Yes Bryan, except that this server has been working correctly for a long time, and accept only anonymous connections.
