And this was exactly it! Thanks all!
Satadru On Nov 13, 2009, at 3:26 AM, Mitja Mu>enih wrote: > Do you have multiple IPs assigned to the external interface? I was recently > bitten by it, my NAT was cycling round-robin style between them and ftp does > not like if the source address of the control and data connections are not > same. > > My solution in that case was to > > -nat on $EXT from any to any -> ($EXT) > +nat on $EXT from any to any -> ($EXT:0) > > Mitja > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf Of >> Satadru Pramanik >> Sent: Friday, November 13, 2009 6:31 AM >> To: [email protected] >> Subject: ftp-proxy problem on OpenBSD 4.6 with illegal port number errors > on >> NATed FTPing machines >> >> I upgraded an OpenBSD firewall from 4.4 -> 4.5 -> 4.6 in one go, and am >> noticing that the ftp-proxy is only working sporadically. I keep getting >> "Can't build data connection: illegal port number" errors when attempting > to >> ftp from a machine inside a NAT to a machine outside the NAT. I thought > this >> was a problem with the ftp-proxy settings, but I've tried both ftp-proxy > with >> and without the "-r" option. I have this problem when connecting several >> different ftp servers, including ftp.openbsd.org. >> >> It is strange. It seems that every 3rd connection or so seems to work. > The >> pf.conf has been setup with the anchor rules as per the man page. The > fact >> that every so many attempts at a connection DOES work makes me think that >> perhaps my setup is correct. >> >> Any ideas? This was working properly in 4.4. >> >> The only modification to the pf.conf info from the ftp-proxy man page is >> this: >> >> rdr pass on $int_if proto tcp from $int_net to any port 21 -> \ >> 127.0.0.1 port 8021 >> pass out proto tcp from $proxied_if to any port 21 >> >> (where $proxied_if replaces $proxy and represents the external interface) >> >> Here's what I'm running from an OS X machine inside the NAT: >> >> ftp -a ftp.openbsd.org >> >> And here's the debug output from the ftp-proxy. >> >> $ sudo /usr/sbin/ftp-proxy -q bulk -d -D 7 >> listening on 127.0.0.1 port 8021 >> #1 accepted connection from 192.168.19.4 >> #1 FTP session 1/100 started: client 192.168.19.4 to server 129.128.5.191 > via >> proxy (external ip) >> #1 server: 220 openbsd.srv.ualberta.ca FTP server ready.\r\n >> #1 client close >> #1 ending session >> #2 accepted connection from 192.168.19.4 >> #2 FTP session 1/100 started: client 192.168.19.4 to server 129.128.5.191 > via >> proxy (external ip) >> #2 server: 220 openbsd.srv.ualberta.ca FTP server ready.\r\n >> #2 client: USER anonymous\r\n >> #2 server: 331 Guest login ok, send your email address as password.\r\n >> #2 client: PASS sata...@\r\n >> #2 server: 230- Welcome to ftp.openbsd.org at the University of Alberta >> \r\n >> #2 server: 230- in Edmonton, Alberta, Canada.\r\n >> #2 server: 230- For other mirror sites visit >> http://www.openbsd.org/ftp.html\r\n >> #2 server: 230- \r\n >> #2 server: 230- _____ ____ _____ _____\r\n >> #2 server: 230- / ___ \\ | _ \\ / ____| __ \\\r\n >> #2 server: 230- / / / /___ ___ ____ | |_) | (___ | | | |\r\n >> #2 server: 230- / / / / __ \\/ _ \\/ __ \\| _ < \\___ \\| | | > |\r\n >> #2 server: 230- / /__/ / /_/ / __/ / / /| |_) |____) | |__| |\r\n >> #2 server: 230- \\_____/ .___/\\___/_/ /_/ |____/|_____/|_____/\r\n >> <snip> >> #2 server: 230- \r\n >> #2 server: 230- *DO NOT* mirror openbsd from this site! use one of > the\r\n >> #2 server: 230- "second level mirrors" listed at >> http://www.openbsd.org/ftp.html\r\n >> #2 server: 230- instead of this site. If you mirror from this site you > will >> lose \r\n >> #2 server: 230- access to it.\r\n >> #2 server: 230- \r\n >> #2 server: 230- E-mail comments, questions, trouble reports, and >> complaints\r\n >> #2 server: 230- to [email protected]. Please drive safely.\r\n >> #2 server: 230- \r\n >> #2 server: 230 Guest login ok, access restrictions apply.\r\n >> #2 client: SYST\r\n >> #2 server: 215 UNIX Type: L8 Version: BSD-199306\r\n >> #2 client: FEAT\r\n >> #2 server: 500 'FEAT': command not understood.\r\n >> #2 client: PWD\r\n >> #2 server: 257 "/" is current directory.\r\n >> #2 client: EPSV\r\n >> #2 server: 229 Entering Extended Passive Mode (|||53188|)\r\n >> #2 passive: client to server port 53188 via port 51221 >> #2 proxy: 229 Entering Extended Passive Mode (|||51221|)\r\n >> #2 client: LIST\r\n >> #2 server: 435 Can't build data connection: illegal port number\r\n >> #2 client: EPSV\r\n >> #2 server: 229 Entering Extended Passive Mode (|||64075|)\r\n >> #2 passive: client to server port 64075 via port 52491 >> #2 proxy: 229 Entering Extended Passive Mode (|||52491|)\r\n >> #2 client: LIST\r\n >> #2 server: 150 Opening ASCII mode data connection for '/bin/ls'.\r\n >> #2 server: 226 Transfer complete.\r\n >> #2 client: CWD pub\r\n >> #2 server: 250 CWD command successful.\r\n >> #2 client: PWD\r\n >> #2 server: 257 "/pub" is current directory.\r\n >> #2 client: EPSV\r\n >> #2 server: 229 Entering Extended Passive Mode (|||53365|)\r\n >> #2 passive: client to server port 53365 via port 50995 >> #2 proxy: 229 Entering Extended Passive Mode (|||50995|)\r\n >> #2 client: LIST\r\n >> #2 server: 435 Can't build data connection: illegal port number\r\n >> #2 client: EPSV\r\n >> #2 server: 229 Entering Extended Passive Mode (|||56168|)\r\n >> #2 passive: client to server port 56168 via port 60721 >> #2 proxy: 229 Entering Extended Passive Mode (|||60721|)\r\n >> #2 client: LIST\r\n >> #2 server: 435 Can't build data connection: illegal port number\r\n >> #2 client: EPSV\r\n >> <etc>
