Camiel Dobbelaar wrote:
> What does the logging say exactly? How do you reproduce it?
When I try to connect a ftp daemon "behind" the firewall I can see the
following entry in /var/log/messages
/var/log/messages.2.gz:Oct 2 09:58:32 buffy ftp-proxy[21285]: #478593
proxy cannot connect to server 195.225.xx.yy: No route to host
I can try this several times, same result. In the meantime I'm able to
ping the target host on the cli of the firewall.
> I'd guess that pf is blocking the control (port 21) connection for some
> reason. Do you have limits on states, either globally or per rule?
Hm, concerning the ftp connections I have the following entries in my
pf.conf:
vlan110 = carp110:network
vlan132 = carp132:network
vlan120 = carp120:network
vlans = "vlan110 vlan120 vlan132"
ftpPROXY_VLANs = $vlan110 $vlan132 $vlan120
# FTP proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on { em0 em1 em2 $vlans } proto tcp from any to {
$ftpPROXY_VLANs } port ftp -> 127.0.0.1 port 8021
Globally settings are:
set skip on lo
scrub all fragment reassemble random-id reassemble tcp
pass in keep state
pass out keep state
That's all - a clearly config file :)
Maybe the limitations exists in ftp-proxy and not the firewall?
/etc/rc.conf.local says:
ftpproxy_flags="-a <loopback-ip> -m 500"
What will happen when the maximum of 500 sessions is arrived? "No route
to host" seems not to be the expacted message :)
> The carp interface is master the whole time?
Yep, definitly all the time.
> Cam
Regards,
Falk
