Re: ftp-proxy issues

Sat, 11 Nov 2006 09:48:23 -0800 

hi camiel,
i start it out of /etc/rc.local with these lines (/etc/rc.conf.local didn't work for me, for whatever reasons the ftp-proxy didn't start): 

/etc/rc.local:
# Start ftp-proxy
if [ -x /usr/sbin/ftp-proxy ]; then
        echo -n ' ftp-proxy';   /usr/sbin/ftp-proxy
fi

~ $ cat /etc/rc.conf.local
#ftpproxy_flags="" # the proxy will not start, so commented it out.
pf=YES
isakmpd_flags="-K"



for the rules of the pf.conf i copy/paste the rules regarding the 
ftp-proxy. the whole pf.conf is very long and not really optimzed, if 
you want it, i can send it to you off list (maybe a second pair of eyes 
can see mistakes i am not aware of):


/etc/pf.conf:
# die anker fuer ftp-proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# alle FTP-anfragen auf ftp-proxy umleiten

rdr pass on { $dmz_if, $int_if, $vpn_if } proto tcp from any to any port 
21 -> 127.0.0.1 port 8021


# grundsaetzlich alles blocken
block in log all

# und der naechste anker fuer ftp-proxy
anchor "ftp-proxy/*"

# ftp-proxy regeln
pass in on $dmz_if proto tcp from any to ($dmz_if) user proxy keep state

pass out on {$int_if, $vpn_if} proto tcp from port > 49151 user proxy 
keep state


(is the above rule any longer needed?)


these are the proxy rules. what i am wondering about, is that nothing is 
blocked (step-by-step through the directories works, but not the whole 
path) and nothing reaches the interface for our dmz, if i try with the 
whole path, as it does on the other host, where it is working.
oh, i forgot to mention that it doesn't matter if i use the ip-addresses 
to connect or the real hostname, the effect is the same.




Camiel Dobbelaar schrieb:

Can you show your pf.conf?  Did you start ftp-proxy with any options?


On Sat, 11 Nov 2006, Marc Peters wrote:


hi folks.

i have issues with the ftp-proxy. i am using openbsd 4.0 which i fetch during
the release-phase, so i think it is on status of -release. this box is the
firewall of our network, with three interfaces. xl0 is for the internal lan,
xl1 is for our dmz and xl2 is connected to internet. for all ftp-transactions
to the dmz we use the ftp-proxy.
on one server, everything is working fine. on the other server, ftp-proxy
shows a strange behaviour. let me show you an example, to make things clearer.

the working host:
logging in, everythings fine. now if i want to cd some directories deeper at
once, ftp-proxy is working and contacting the ftp-server, which is running
proftpd, correctly:

the commands i use:

ftp> pwd
257 "/" is current directory.
ftp> cd internet/foo-com/staging/htdocs/leistungen
250 CWD command successful
ftp> pwd
257 "/internet/foo-com/staging/htdocs/leistungen" is current directory.
ftp>

here comes the log from proftpd:

194.245.32.254 UNKNOWN ftpuser [11/Nov/2006:15:06:57 +0100] "PWD" 257 -
194.245.32.254 UNKNOWN ftpuser [11/Nov/2006:15:08:09 +0100] "CWD
internet/foo-com/staging/htdocs/leistungen" 250 -
194.245.32.254 UNKNOWN ftpuser [11/Nov/2006:15:08:09 +0100] "PWD" 257 -

and now the output from the ftp-proxy host i tool with tcpdump -Xttti xl0
(lan):
Nov 11 15:08:10.069206 192.168.0.14.49210 > workinghost.domain.com.ftp: P
128:183(55) ack 403 win 65535 <nop,nop,timestamp 74216628 3435911183> (DF)
[tos 0x10]
  0000: 4510 006b 1f95 4000 4006 23ba c0a8 530e  [EMAIL PROTECTED]@.#B:CB(S.
  0010: c2f5 2082 c03a 0015 0fad 434a eff6 19c4  CC5 .C:...B-CJC/C6.C
  0020: 8018 ffff 0ad8 0000 0101 080a 046c 74b4  ..C?C?.C.......ltB4
  0030: cccb d80f 4357 4420 696e 7465 726e 6574  CCC.CWD internet
  0040: 2f7a 6569 747a 6272 6579 6572 2d64 652f  /foo-com/
  0050: 7374                                     st

Nov 11 15:08:10.070428 workinghost.domain.com.ftp > 192.168.0.14.49210: P
403:431(28) ack 183 win 17376 <nop,nop,timestamp 3435911328 74216628> (DF)
  0000: 4500 0050 7ac4 4000 4006 c8b5 c2f5 2082  [EMAIL PROTECTED]@.CB5CC5 .
  0010: c0a8 530e 0015 c03a eff6 19c4 0fad 4381  CB(S...C:C/C6.C.B-C.
  0020: 8018 43e0 4d63 0000 0101 080a cccb d8a0  ..CC Mc......CCC   0030:
046c 74b4 3235 3020 4357 4420 636f 6d6d  .ltB4250 CWD comm
  0040: 616e 6420 7375 6363 6573 7366 756c 0d0a  and successful..

Nov 11 15:08:10.070715 192.168.0.14.49210 > workinghost.domain.com.ftp: . ack
431 win 65535 <nop,nop,timestamp 74216628 3435911328> (DF) [tos 0x10]
  0000: 4510 0034 1f96 4000 4006 23f0 c0a8 530e  [EMAIL PROTECTED]@.#C0CB(S.
  0010: c2f5 2082 c03a 0015 0fad 4381 eff6 19e0  CC5 .C:...B-C.C/C6.C
0020: 8010 ffff 43ad 0000 0101 080a 046c 74b4  ..C?C?CB-.......ltB4

  0030: cccb d8a0                                CCC 
Nov 11 15:08:10.072944 192.168.0.14.49210 > workinghost.domain.com.ftp: P

183:188(5) ack 431 win 65535 <nop,nop,timestamp 74216628 3435911328> (DF) [tos
0x10]
  0000: 4510 0039 1f97 4000 4006 23ea c0a8 530e  [EMAIL PROTECTED]@.#C*CB(S.
  0010: c2f5 2082 c03a 0015 0fad 4381 eff6 19e0  CC5 .C:...B-C.C/C6.C
0020: 8018 ffff a53b 0000 0101 080a 046c 74b4  ..C?C?B%;.......ltB4
  0030: cccb d8a0 5057 440d 0a                   CCC PWD..

Nov 11 15:08:10.073491 workinghost.domain.com.ftp > 192.168.0.14.49210: P
431:511(80) ack 188 win 17376 <nop,nop,timestamp 3435911328 74216628> (DF)
  0000: 4500 0084 6e1b 4000 4006 d52a c2f5 2082  [EMAIL PROTECTED]@.C*CC5 .
  0010: c0a8 530e 0015 c03a eff6 19e0 0fad 4386  CB(S...C:C/C6.C .B-C.
  0020: 8018 43e0 58e5 0000 0101 080a cccb d8a0  ..CC XC%......CCC   0030:
046c 74b4 3235 3720 222f 696e 7465 726e  .ltB4257 "/intern
  0040: 6574 2f7a 6569 747a 6272 6579 6572 2d64  et/foo-com
  0050: 652f                                     /


and the outgoing part on the dmz-interface:

Nov 11 15:08:10.069396 ftp-proxy.domain.com.10146 >
workinghost.domain.com.ftp: P 128:183(55) ack 403 win 16384 <nop,nop,timestamp
4038516918 1475073962> (DF)
  0000: 4500 006b 73e1 4000 4006 ff40 c2f5 20fe  [EMAIL PROTECTED]@[EMAIL 
PROTECTED] C>
  0010: c2f5 2082 27a2 0015 8ee7 5ff7 482f c21e  CC5 .'B"...C'_C7H/C.
  0020: 8018 4000 13b1 0000 0101 080a f0b6 e0b6  [EMAIL PROTECTED] B6
  0030: 57eb d7aa 4357 4420 696e 7465 726e 6574  WC+CB*CWD internet
  0040: 2f7a 6569 747a 6272 6579 6572 2d64 652f  /foo-com/
  0050: 7374                                     st

Nov 11 15:08:10.070341 workinghost.domain.com.ftp >
ftp-proxy.domain.com.10146: P 403:431(28) ack 183 win 1448 <nop,nop,timestamp
1475146718 4038516918> (DF) [tos 0x10]
  0000: 4510 0050 2287 4000 4006 50a6 c2f5 2082  E..P"[EMAIL 
PROTECTED]@.PB&CC5 .
  0010: c2f5 20fe 0015 27a2 482f c21e 8ee7 602e  CC5 C>..'B"H/C..C'`.
  0020: 8018 05a8 b8d0 0000 0101 080a 57ec f3de  ...B(B8C......WC,C3C
  0030: f0b6 e0b6 3235 3020 4357 4420 636f 6d6d  C0B6C B6250 CWD comm
  0040: 616e 6420 7375 6363 6573 7366 756c 0d0a  and successful..

Nov 11 15:08:10.073010 ftp-proxy.domain.com.10146 >
workinghost.domain.com.ftp: P 183:188(5) ack 431 win 16384 <nop,nop,timestamp
4038516918 1475146718> (DF)
  0000: 4500 0039 5d8e 4000 4006 15c6 c2f5 20fe  [EMAIL PROTECTED]@..CCC5 C>
  0010: c2f5 2082 27a2 0015 8ee7 602e 482f c23a  CC5 .'B"...C'`.H/C:
  0020: 8018 4000 9270 0000 0101 080a f0b6 e0b6  [EMAIL PROTECTED] B6
  0030: 57ec f3de 5057 440d 0a                   WC,C3CPWD..

Nov 11 15:08:10.073424 workinghost.domain.com.ftp >
ftp-proxy.domain.com.10146: P 431:511(80) ack 188 win 1448 <nop,nop,timestamp
1475146721 4038516918> (DF) [tos 0x10]
  0000: 4510 0084 2289 4000 4006 5070 c2f5 2082  E..."[EMAIL PROTECTED]@.PpCC5 
.
  0010: c2f5 20fe 0015 27a2 482f c23a 8ee7 6033  CC5 C>..'B"H/C:.C'`3
  0020: 8018 05a8 c44f 0000 0101 080a 57ec f3e1  ...B(CO......WC,C3C!
  0030: f0b6 e0b6 3235 3720 222f 696e 7465 726e  C0B6C B6257 "/intern
  0040: 6574 2f7a 6569 747a 6272 6579 6572 2d64  et/foo-com
  0050: 652f                                     /

as you can see, everything is working fine and as expected. now comes the
strange part, when i repeat these steps on different host, which has exactly
the same directory-layout as this one:

the commands from the ftp-session:

230 User ftpuser logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is current directory.
ftp> cd internet/foo-com/staging/htdocs/leistungen

and here the session hangs

internal tcpdump-output:

Nov 11 15:15:04.389645 failinghost.domain.com.ftp > 192.168.0.14.49216: P
202:233(31) ack 56 win 17376 <nop,nop,timestamp 3956671155 74217457> (DF)
  0000: 4500 0053 59df 4000 4006 e965 c2f5 20b4  [EMAIL PROTECTED]@.C)eCC5 B4
  0010: c0a8 530e 0015 c040 d03a 3403 4249 4284  CB([EMAIL PROTECTED]:4.BIB.
  0020: 8018 43e0 eb15 0000 0101 080a ebd6 02b3  ..CC C+.......C+C.B3
  0030: 046c 77f1 3235 3720 222f 2220 6973 2063  .lwC1257 "/" is c
  0040: 7572 7265 6e74 2064 6972 6563 746f 7279  urrent directory
  0050: 2e0d                                     ..

Nov 11 15:15:04.389859 192.168.0.14.49216 > failinghost.domain.com.ftp: . ack
233 win 65535 <nop,nop,timestamp 74217457 3956671155> (DF) [tos 0x10]
  0000: 4510 0034 21fb 4000 4006 2159 c0a8 530e  E..4!C;@[EMAIL PROTECTED](S.
  0010: c2f5 20b4 c040 0015 4249 4284 d03a 3422  CC5 [EMAIL PROTECTED]:4"
  0020: 8010 ffff caf5 0000 0101 080a 046c 77f1  ..C?C?C
C5.......lwC1
  0030: ebd6 02b3                                C+C.B3

Nov 11 15:15:58.478319 192.168.0.14.49216 > failinghost.domain.com.ftp: P
56:111(55) ack 233 win 65535 <nop,nop,timestamp 74217565 3956671155> (DF) [tos
0x10]
  0000: 4510 006b 2263 4000 4006 20ba c0a8 530e  E..k"[EMAIL PROTECTED]@. 
B:CB(S.
  0010: c2f5 20b4 c040 0015 4249 4284 d03a 3422  CC5 [EMAIL PROTECTED]:4"
  0020: 8018 ffff 90d0 0000 0101 080a 046c 785d  ..C?C?.C.......lx]
  0030: ebd6 02b3 4357 4420 696e 7465 726e 6574  C+C.B3CWD internet
  0040: 2f7a 6569 747a 6272 6579 6572 2d64 652f  /foo-com/
  0050: 7374                                     st

Nov 11 15:15:58.675064 failinghost.domain.com.ftp > 192.168.0.14.49216: . ack
111 win 17376 <nop,nop,timestamp 3956671263 74217565> (DF)
  0000: 4500 0034 4da1 4000 4006 f5c2 c2f5 20b4  [EMAIL PROTECTED]@.C5CCC5 B4
  0010: c0a8 530e 0015 c040 d03a 3422 4249 42bb  CB([EMAIL PROTECTED]:4"BIBB;
  0020: 8010 43e0 8606 0000 0101 080a ebd6 031f  ..CC ........C+C..
  0030: 046c 785d                                .lx]

and now the output from the dmz-interface:

Nov 11 15:15:04.389317 ftp-proxy.domain.com.48293 >
failinghost.domain.com.ftp: P 51:56(5) ack 202 win 16384 <nop,nop,timestamp
3630957581 172675010>
  0000: 4500 0039 13c8 0000 4006 9f5a c2f5 20fe  [EMAIL PROTECTED] C>
  0010: c2f5 20b4 bca5 0015 bc2d 18bc 48d1 b99c  CC5 B4B<B%..B<-.B<HCB9.
  0020: 8018 4000 8615 0000 0101 080a d86c 040d  [EMAIL PROTECTED]
  0030: 0a4a cfc2 5057 440d 0a                   .JCCPWD..

Nov 11 15:15:04.389556 failinghost.domain.com.ftp >
ftp-proxy.domain.com.48293: P 202:233(31) ack 56 win 46 <nop,nop,timestamp
172680957 3630957581> (DF) [tos 0x10]
  0000: 4510 0053 7066 4000 4006 0292 c2f5 20b4  [EMAIL PROTECTED]@...CC5 B4
  0010: c2f5 20fe 0015 bca5 48d1 b99c bc2d 18c1  CC5 C>..B<B%HCB9.B<-.C
  0020: 8018 002e b0fa 0000 0101 080a 0a4a e6fd  ....B0C:.......JC&C=
  0030: d86c 040d 3235 3720 222f 2220 6973 2063  Cl..257 "/" is c
  0040: 7572 7265 6e74 2064 6972 6563 746f 7279  urrent directory
  0050: 2e0d                                     ..

Nov 11 15:15:04.581421 ftp-proxy.domain.com.48293 >
failinghost.domain.com.ftp: . ack 233 win 16384 <nop,nop,timestamp 3630957581
172680957>
  0000: 4500 0034 5808 0000 4006 5b1f c2f5 20fe  [EMAIL PROTECTED] C>
  0010: c2f5 20b4 bca5 0015 bc2d 18c1 48d1 b9bb  CC5 B4B<B%..B<-.CHCB9B;
  0020: 8010 4000 0d28 0000 0101 080a d86c 040d  [EMAIL PROTECTED](......Cl..
  0030: 0a4a e6fd                                .JC&C=

as you can see from the timestamps the last things don't even arrive at the
interface and nothing is sent to the server, as the logs prove:

194.245.32.254 UNKNOWN ftpuser [11/Nov/2006:15:15:04 +0100] "PWD" 257 -

the rules for these hosts are similiar, so nothing is blocking a request on
the host itself (as one-by-one through the directories show).

and that's it, nothing as the CWD to the directory or anything else. this only
shows up, if i use a certain directory-depth at one (didn't determine how
many, because it depends on the directories i use like internet/bar-com this
shows up later). if i go through the directories one-by-one, this doesn't
happen (but as the ftp-programs are somewhat crazy they always call the whole
path, so that will happen if someone uses a graphical client and wants to jump
in that directory). if i log into the host directly, this doesn't happen.

as you can imagine, i am at my wit's end. am i doing something wrong? needing
more information? i would be glad if someone can overlook that and provide me
with the necessary information or conatct me, for more logs or something like
that.

tia,
marc

ps: i am sorry, that this mail got quit long, but i thank everyone for taking
their time and reading through this.
























					Reply via email to