Camiel, Thanks for all your help. It looks like it is something upstream, because all your hints check out.
Today I tried to ssh externally to the OpenBSD firewall and what do you think; no packets arrive at the external interface. So it must be that damn IAS modem that is blocking everything. How on earth can they setup something like that? Cost me a day to find out (partially my fault of course). Thanks again. Nils -----Original Message----- From: Camiel Dobbelaar [mailto:[EMAIL PROTECTED] Sent: vrijdag 16 februari 2007 19:24 To: Reuvers, Nils Cc: misc@openbsd.org Subject: Re: ftp-proxy problem using active ftp On Fri, 16 Feb 2007, [EMAIL PROTECTED] wrote: > #1 client: PORT 192,168,1,56,9,96\r\n > #1 proxy: PORT 193,172,163,50,235,99\r\n 193.172.163.50 is the correct external IP ? Does the firewall have more then one external IP? > #1 server: 200 PORT command successful - not using PASV eh?\r\n > #1 active: server to client port 2400 via port 60259 > #1 client: NLST\r\n This looks fine. At the point where it says "active" it has inserted the rules. You can check those like this: # pfctl -sA -v ftp-proxy ftp-proxy/27568.13 # pfctl -a ftp-proxy/27568.13 -sr pass in quick inet proto tcp from 129.128.5.191 to 192.168.28.28 port = 58202 flags S/SA keep state (max 1) rtable 0 pass out quick inet proto tcp from 129.128.5.191 to 192.168.28.28 port = 58202 flags S/SA keep state (max 1) rtable 0 and with -sn for the nat rules. Do those look correct? > My PF log isn't showing anything useful regarding ftp. Make sure all the rules have the log option set, especially the block rules. You can also try tcpdump on the external interface to check if the SYN packets of the active connection are coming in. If nothing comes in, someone upstream may be blocking. -- Cam ============================================================================= ==================== A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
