(Note: since most of this could be relevant, I snipped very little.
Scroll down some.)
On Sat, Nov 11, 2006 at 03:43:18PM +0100, Marc Peters wrote:
> hi folks.
>
> i have issues with the ftp-proxy. i am using openbsd 4.0 which i fetch
> during the release-phase, so i think it is on status of -release. this
> box is the firewall of our network, with three interfaces. xl0 is for
> the internal lan, xl1 is for our dmz and xl2 is connected to internet.
> for all ftp-transactions to the dmz we use the ftp-proxy.
> on one server, everything is working fine. on the other server,
> ftp-proxy shows a strange behaviour. let me show you an example, to make
> things clearer.
>
> the working host:
> logging in, everythings fine. now if i want to cd some directories
> deeper at once, ftp-proxy is working and contacting the ftp-server,
> which is running proftpd, correctly:
>
> the commands i use:
>
> ftp> pwd
> 257 "/" is current directory.
> ftp> cd internet/foo-com/staging/htdocs/leistungen
> 250 CWD command successful
> ftp> pwd
> 257 "/internet/foo-com/staging/htdocs/leistungen" is current directory.
> ftp>
>
> here comes the log from proftpd:
>
> 194.245.32.254 UNKNOWN ftpuser [11/Nov/2006:15:06:57 +0100] "PWD" 257 -
> 194.245.32.254 UNKNOWN ftpuser [11/Nov/2006:15:08:09 +0100] "CWD
> internet/foo-com/staging/htdocs/leistungen" 250 -
> 194.245.32.254 UNKNOWN ftpuser [11/Nov/2006:15:08:09 +0100] "PWD" 257 -
>
> and now the output from the ftp-proxy host i tool with tcpdump -Xttti
> xl0 (lan):
> Nov 11 15:08:10.069206 192.168.0.14.49210 > workinghost.domain.com.ftp:
> P 128:183(55) ack 403 win 65535 <nop,nop,timestamp 74216628 3435911183>
> (DF) [tos 0x10]
> 0000: 4510 006b 1f95 4000 4006 23ba c0a8 530e [EMAIL PROTECTED]@.#B:CB(S.
> 0010: c2f5 2082 c03a 0015 0fad 434a eff6 19c4 C�C5 .C:...B-CJC/C6.C�
> 0020: 8018 ffff 0ad8 0000 0101 080a 046c 74b4 ..C?C?.C�.......ltB4
> 0030: cccb d80f 4357 4420 696e 7465 726e 6574 C�C�C�.CWD internet
> 0040: 2f7a 6569 747a 6272 6579 6572 2d64 652f /foo-com/
> 0050: 7374 st
>
> Nov 11 15:08:10.070428 workinghost.domain.com.ftp > 192.168.0.14.49210:
> P 403:431(28) ack 183 win 17376 <nop,nop,timestamp 3435911328 74216628> (DF)
> 0000: 4500 0050 7ac4 4000 4006 c8b5 c2f5 2082 [EMAIL PROTECTED]@.C�B5C�C5 .
> 0010: c0a8 530e 0015 c03a eff6 19c4 0fad 4381 CB(S...C:C/C6.C�.B-C.
> 0020: 8018 43e0 4d63 0000 0101 080a cccb d8a0 ..CC Mc......C�C�C�
> 0030: 046c 74b4 3235 3020 4357 4420 636f 6d6d .ltB4250 CWD comm
> 0040: 616e 6420 7375 6363 6573 7366 756c 0d0a and successful..
>
> Nov 11 15:08:10.070715 192.168.0.14.49210 > workinghost.domain.com.ftp:
> . ack 431 win 65535 <nop,nop,timestamp 74216628 3435911328> (DF) [tos 0x10]
> 0000: 4510 0034 1f96 4000 4006 23f0 c0a8 530e [EMAIL PROTECTED]@.#C0CB(S.
> 0010: c2f5 2082 c03a 0015 0fad 4381 eff6 19e0 C�C5 .C:...B-C.C/C6.C
> 0020: 8010 ffff 43ad 0000 0101 080a 046c 74b4 ..C?C?CB-.......ltB4
> 0030: cccb d8a0 C�C�C�
>
> Nov 11 15:08:10.072944 192.168.0.14.49210 > workinghost.domain.com.ftp:
> P 183:188(5) ack 431 win 65535 <nop,nop,timestamp 74216628 3435911328>
> (DF) [tos 0x10]
> 0000: 4510 0039 1f97 4000 4006 23ea c0a8 530e [EMAIL PROTECTED]@.#C*CB(S.
> 0010: c2f5 2082 c03a 0015 0fad 4381 eff6 19e0 C�C5 .C:...B-C.C/C6.C
> 0020: 8018 ffff a53b 0000 0101 080a 046c 74b4 ..C?C?B%;.......ltB4
> 0030: cccb d8a0 5057 440d 0a C�C�C� PWD..
>
> Nov 11 15:08:10.073491 workinghost.domain.com.ftp > 192.168.0.14.49210:
> P 431:511(80) ack 188 win 17376 <nop,nop,timestamp 3435911328 74216628> (DF)
> 0000: 4500 0084 6e1b 4000 4006 d52a c2f5 2082 [EMAIL PROTECTED]@.C�*C�C5 .
> 0010: c0a8 530e 0015 c03a eff6 19e0 0fad 4386 CB(S...C:C/C6.C .B-C.
> 0020: 8018 43e0 58e5 0000 0101 080a cccb d8a0 ..CC XC%......C�C�C�
> 0030: 046c 74b4 3235 3720 222f 696e 7465 726e .ltB4257 "/intern
> 0040: 6574 2f7a 6569 747a 6272 6579 6572 2d64 et/foo-com
> 0050: 652f /
>
>
> and the outgoing part on the dmz-interface:
>
> Nov 11 15:08:10.069396 ftp-proxy.domain.com.10146 >
> workinghost.domain.com.ftp: P 128:183(55) ack 403 win 16384
> <nop,nop,timestamp 4038516918 1475073962> (DF)
> 0000: 4500 006b 73e1 4000 4006 ff40 c2f5 20fe [EMAIL PROTECTED]@[EMAIL
> PROTECTED] C>
> 0010: c2f5 2082 27a2 0015 8ee7 5ff7 482f c21e C�C5 .'B"...C'_C7H/C�.
> 0020: 8018 4000 13b1 0000 0101 080a f0b6 e0b6 [EMAIL PROTECTED] B6
> 0030: 57eb d7aa 4357 4420 696e 7465 726e 6574 WC+C�B*CWD internet
> 0040: 2f7a 6569 747a 6272 6579 6572 2d64 652f /foo-com/
> 0050: 7374 st
>
> Nov 11 15:08:10.070341 workinghost.domain.com.ftp >
> ftp-proxy.domain.com.10146: P 403:431(28) ack 183 win 1448
> <nop,nop,timestamp 1475146718 4038516918> (DF) [tos 0x10]
> 0000: 4510 0050 2287 4000 4006 50a6 c2f5 2082 E..P"[EMAIL
> PROTECTED]@.PB&C�C5 .
> 0010: c2f5 20fe 0015 27a2 482f c21e 8ee7 602e C�C5 C>..'B"H/C�..C'`.
> 0020: 8018 05a8 b8d0 0000 0101 080a 57ec f3de ...B(B8C�......WC,C3C�
> 0030: f0b6 e0b6 3235 3020 4357 4420 636f 6d6d C0B6C B6250 CWD comm
> 0040: 616e 6420 7375 6363 6573 7366 756c 0d0a and successful..
>
> Nov 11 15:08:10.073010 ftp-proxy.domain.com.10146 >
> workinghost.domain.com.ftp: P 183:188(5) ack 431 win 16384
> <nop,nop,timestamp 4038516918 1475146718> (DF)
> 0000: 4500 0039 5d8e 4000 4006 15c6 c2f5 20fe [EMAIL PROTECTED]@..C�C�C5 C>
> 0010: c2f5 2082 27a2 0015 8ee7 602e 482f c23a C�C5 .'B"...C'`.H/C�:
> 0020: 8018 4000 9270 0000 0101 080a f0b6 e0b6 [EMAIL PROTECTED] B6
> 0030: 57ec f3de 5057 440d 0a WC,C3C�PWD..
>
> Nov 11 15:08:10.073424 workinghost.domain.com.ftp >
> ftp-proxy.domain.com.10146: P 431:511(80) ack 188 win 1448
> <nop,nop,timestamp 1475146721 4038516918> (DF) [tos 0x10]
> 0000: 4510 0084 2289 4000 4006 5070 c2f5 2082 E..."[EMAIL
> PROTECTED]@.PpC�C5 .
> 0010: c2f5 20fe 0015 27a2 482f c23a 8ee7 6033 C�C5 C>..'B"H/C�:.C'`3
> 0020: 8018 05a8 c44f 0000 0101 080a 57ec f3e1 ...B(C�O......WC,C3C!
> 0030: f0b6 e0b6 3235 3720 222f 696e 7465 726e C0B6C B6257 "/intern
> 0040: 6574 2f7a 6569 747a 6272 6579 6572 2d64 et/foo-com
> 0050: 652f /
>
> as you can see, everything is working fine and as expected. now comes
> the strange part, when i repeat these steps on different host, which has
> exactly the same directory-layout as this one:
>
> the commands from the ftp-session:
>
> 230 User ftpuser logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> pwd
> 257 "/" is current directory.
> ftp> cd internet/foo-com/staging/htdocs/leistungen
>
> and here the session hangs
>
> internal tcpdump-output:
>
> Nov 11 15:15:04.389645 failinghost.domain.com.ftp > 192.168.0.14.49216:
> P 202:233(31) ack 56 win 17376 <nop,nop,timestamp 3956671155 74217457> (DF)
> 0000: 4500 0053 59df 4000 4006 e965 c2f5 20b4 [EMAIL PROTECTED]@.C)eC�C5 B4
> 0010: c0a8 530e 0015 c040 d03a 3403 4249 4284 CB([EMAIL PROTECTED]:4.BIB.
> 0020: 8018 43e0 eb15 0000 0101 080a ebd6 02b3 ..CC C+.......C+C�.B3
> 0030: 046c 77f1 3235 3720 222f 2220 6973 2063 .lwC1257 "/" is c
> 0040: 7572 7265 6e74 2064 6972 6563 746f 7279 urrent directory
> 0050: 2e0d ..
>
> Nov 11 15:15:04.389859 192.168.0.14.49216 > failinghost.domain.com.ftp:
> . ack 233 win 65535 <nop,nop,timestamp 74217457 3956671155> (DF) [tos 0x10]
> 0000: 4510 0034 21fb 4000 4006 2159 c0a8 530e E..4!C;@[EMAIL PROTECTED](S.
> 0010: c2f5 20b4 c040 0015 4249 4284 d03a 3422 C�C5 [EMAIL PROTECTED]:4"
> 0020: 8010 ffff caf5 0000 0101 080a 046c 77f1 ..C?C?C
> C5.......lwC1
> 0030: ebd6 02b3 C+C�.B3
>
> Nov 11 15:15:58.478319 192.168.0.14.49216 > failinghost.domain.com.ftp:
> P 56:111(55) ack 233 win 65535 <nop,nop,timestamp 74217565 3956671155>
> (DF) [tos 0x10]
> 0000: 4510 006b 2263 4000 4006 20ba c0a8 530e E..k"[EMAIL PROTECTED]@.
> B:CB(S.
> 0010: c2f5 20b4 c040 0015 4249 4284 d03a 3422 C�C5 [EMAIL PROTECTED]:4"
> 0020: 8018 ffff 90d0 0000 0101 080a 046c 785d ..C?C?.C�.......lx]
> 0030: ebd6 02b3 4357 4420 696e 7465 726e 6574 C+C�.B3CWD internet
> 0040: 2f7a 6569 747a 6272 6579 6572 2d64 652f /foo-com/
> 0050: 7374 st
>
> Nov 11 15:15:58.675064 failinghost.domain.com.ftp > 192.168.0.14.49216:
> . ack 111 win 17376 <nop,nop,timestamp 3956671263 74217565> (DF)
> 0000: 4500 0034 4da1 4000 4006 f5c2 c2f5 20b4 [EMAIL PROTECTED]@.C5C�C�C5
> B4
> 0010: c0a8 530e 0015 c040 d03a 3422 4249 42bb CB([EMAIL PROTECTED]:4"BIBB;
> 0020: 8010 43e0 8606 0000 0101 080a ebd6 031f ..CC ........C+C�..
> 0030: 046c 785d .lx]
>
> and now the output from the dmz-interface:
>
> Nov 11 15:15:04.389317 ftp-proxy.domain.com.48293 >
> failinghost.domain.com.ftp: P 51:56(5) ack 202 win 16384
> <nop,nop,timestamp 3630957581 172675010>
> 0000: 4500 0039 13c8 0000 4006 9f5a c2f5 20fe [EMAIL PROTECTED] C>
> 0010: c2f5 20b4 bca5 0015 bc2d 18bc 48d1 b99c C�C5 B4B<B%..B<-.B<HC�B9.
> 0020: 8018 4000 8615 0000 0101 080a d86c 040d [EMAIL PROTECTED]
> 0030: 0a4a cfc2 5057 440d 0a .JC�C�PWD..
>
> Nov 11 15:15:04.389556 failinghost.domain.com.ftp >
> ftp-proxy.domain.com.48293: P 202:233(31) ack 56 win 46
> <nop,nop,timestamp 172680957 3630957581> (DF) [tos 0x10]
> 0000: 4510 0053 7066 4000 4006 0292 c2f5 20b4 [EMAIL PROTECTED]@...C�C5 B4
> 0010: c2f5 20fe 0015 bca5 48d1 b99c bc2d 18c1 C�C5 C>..B<B%HC�B9.B<-.C�
> 0020: 8018 002e b0fa 0000 0101 080a 0a4a e6fd ....B0C:.......JC&C=
> 0030: d86c 040d 3235 3720 222f 2220 6973 2063 C�l..257 "/" is c
> 0040: 7572 7265 6e74 2064 6972 6563 746f 7279 urrent directory
> 0050: 2e0d ..
>
> Nov 11 15:15:04.581421 ftp-proxy.domain.com.48293 >
> failinghost.domain.com.ftp: . ack 233 win 16384 <nop,nop,timestamp
> 3630957581 172680957>
> 0000: 4500 0034 5808 0000 4006 5b1f c2f5 20fe [EMAIL PROTECTED] C>
> 0010: c2f5 20b4 bca5 0015 bc2d 18c1 48d1 b9bb C�C5 B4B<B%..B<-.C�HC�B9B;
> 0020: 8010 4000 0d28 0000 0101 080a d86c 040d [EMAIL PROTECTED](......C�l..
> 0030: 0a4a e6fd .JC&C=
>
> as you can see from the timestamps the last things don't even arrive at
> the interface and nothing is sent to the server, as the logs prove:
>
> 194.245.32.254 UNKNOWN ftpuser [11/Nov/2006:15:15:04 +0100] "PWD" 257 -
>
> the rules for these hosts are similiar, so nothing is blocking a request
> on the host itself (as one-by-one through the directories show).
>
> and that's it, nothing as the CWD to the directory or anything else.
> this only shows up, if i use a certain directory-depth at one (didn't
> determine how many, because it depends on the directories i use like
> internet/bar-com this shows up later). if i go through the directories
> one-by-one, this doesn't happen (but as the ftp-programs are somewhat
> crazy they always call the whole path, so that will happen if someone
> uses a graphical client and wants to jump in that directory). if i log
> into the host directly, this doesn't happen.
>
> as you can imagine, i am at my wit's end. am i doing something wrong?
> needing more information? i would be glad if someone can overlook that
> and provide me with the necessary information or conatct me, for more
> logs or something like that.
>
> tia,
> marc
>
> ps: i am sorry, that this mail got quit long, but i thank everyone for
> taking their time and reading through this.
I can't think of any fix offhand, but some more stuff that might point
to the error:
Are you really sure the rules are the same? Including the routing tables
on all hosts? Check tcpdump -i pflog0.
Check ftp-proxy logs - ftp-proxy -dD7 2>&1 | tee logfile might be
useful.
Check exactly what the ftp clients send; ftp-proxy logs and/or tcpdump
might be useful.
Joachim
