On Wednesday 14 February 2007 21:59, Chris C. wrote:
> Hi
>
> I'm having issues with rsyncing ftp.rfc-editor.org through a PF firewall,
> other connections (also other rsync connections) work well.
>
> rsync -avz --delete ftp.rfc-editor.org::rfcs-text-only my-rfc-mirror
> receiving file list ... done
> ./
> rfc-index.xml
> ...
> rfc1591.txt
> rfc1592.txt
> nothing is going to happen... will timeout in a few minutes
>
>
> my setup is LAN --> OBSDGW2 -> PPPOE -> Internet
>
> fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:50:8b:95:a4:d3
> description: WLan uplink
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet6 fe80::250:8bff:fe95:a4d3%fxp1 prefixlen 64 scopeid 0x3
> inet 10.1.16.1 netmask 0xfffffffc broadcast 10.1.16.3
>
> pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
> dev: rl0 state: session
> sid: 0xe682 PADI retries: 49 PADR retries: 0 time: 09:51:14
>
> I've played with scrub (out on pppoe0 max-mss 1440, +no-df, + fragment
> reassemble, ...) but doesnt solve my problem.
> I'm using nat on pppoe0 (nat on $extif from <localips> to any -> (pppoe0))
> I would provide a full tcpdump, but that would make my message a bit big...
>
> Currently my pf.conf looks as follows:
>
> set block-policy return
> set skip on { lo, enc0 }
> #scrub in all no-df random-id fragment reassemble
> #scrub out on pppoe0 max-mss 1492 no-df
> scrub out on pppoe0 max-mss 1440
> nat on $extif from <localips> to any -> (pppoe0)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> rdr on $allif inet proto tcp from <localips>
> to !<norouteips> port ftp -> 127.0.0.1 port 8021
> rdr on $extif inet proto tcp from any to ($extif)
> port http -> 10.0.0.200 port 80
> #rdr on $extif inet proto tcp from any to ($extif)
> port ftp -> 10.0.0.200 port ftp
> #rdr on $extif inet proto tcp from any to any
> port 49152:65535 -> 10.0.0.200 port 49152:65535
> norouteips and allow local traffic on trusted interfaces
> antispoof quick for { $extif, $wlanif }
> block in all
> pass out all keep state flags S/SA
> block in quick on $extif inet from <norouteips> to any
> block return out quick on $extif inet proto icmp from any to
> <norouteips>
> block drop out quick on $extif inet from any to <norouteips>
> pass in quick on $allif inet from <localips> to !<firewall>
> keep state
> pass in quick inet proto icmp from any to {
> ($extif) <firewall> } icmp-type echoreq code 0
> pass in quick inet proto tcp from any to {
> ($extif) <firewall> } port ssh keep state
> [some rules for other subnets]
> pass in on $wlanif inet from 10.1.16.200 to
> any keep state flags S/SA
>
>
>
> [tcpdump]
>
> any suggestions? thanks!
Have to reply to my own post...
The rsync process completes on the gateway itself, but not on any device
behind it.
