Does anyone have inbound ftp-proxy with multiple internet connections and outbound load balancing working that can help me out? I've been banging my head against the wall for 3 days now trying every iteration of pf rules and idea that I can come up with and I just can't get the data connection to work. I've tried having ftp-proxy listen on localhost with a redirect as well as having it listen directly on the external interfaces with the same issue. I always get a control connection, but the data connection fails. ftp-proxy was working fine in this configuration (same ftp-proxy settings, same back-end FTP server settings, old pf.conf) prior to going to two internet connections. I need to get this working as it is for a customer. Please help alleviate my ignorance.
---- From: dontek [mailto:[email protected]] Sent: Thursday, June 10, 2010 3:04 PM I have one last issue since I moved to OpenBSD 4.7 and started doing outbound load balancing with two internet connections. This is with connection to my inbound proxy from the internet to an FTP server behind my OpenBSD firewall which fails to make a data connections. Running ftp-proxy in debug mode 7 logging to standard output I see essentially the same output I get in my FTP client: using fixed server 10.52.91.10 listening on 127.0.0.1 port 21 #1 accepted connection from 75.21.149.231 #1 FTP session 1/100 started: client 75.21.149.231 to server 10.52.91.10 via proxy 10.52.91.1 #1 server: 220 mydomain.net FTP - You're In!\r\n #1 client: USER [email protected]\r\n #1 server: 331 Password required for ftp@ mydomain.net\r\n #1 client: PASS blah_my_pass_blah\r\n #1 server: 230 Logged on\r\n #1 client: SYST\r\n #1 server: 215 UNIX emulated by FileZilla\r\n #1 client: FEAT\r\n #1 server: 211-Features:\r\n #1 server: MDTM\r\n #1 server: REST STREAM\r\n #1 server: SIZE\r\n #1 server: MLST type*;size*;modify*;\r\n #1 server: MLSD\r\n #1 server: AUTH SSL\r\n #1 server: AUTH TLS\r\n #1 server: UTF8\r\n #1 server: CLNT\r\n #1 server: MFMT\r\n #1 server: 211 End\r\n #1 client: PWD\r\n #1 server: 257 "/" is current directory.\r\n #1 client: TYPE I\r\n #1 server: 200 Type set to I\r\n #1 client: PASV\r\n #1 server: 227 Entering Passive Mode (10,52,91,10,16,146)\r\n #1 passive: client to server port 4242 via port 53549 #1 proxy: 227 Entering Passive Mode (192,168,0,1,209,45)\r\n #1 client: MLSD\r\n #1 server: 425 Can't open data connection.\r\n #1 server: 421 Connection timed out.\r\n #1 server close #1 ending session One thing I don't understand is, is this the proxy not being able to make the data connection over the internal network to the back-end FTP server? Or is this the client not being able to make the data connection through the proxy? EXT_IF_1="em0" EXT_GATE_1="xxx.xxx.xxx.xxx" EXT_IF_2="em1" EXT_GATE_2="xxx.xxx.xxx.xxx" INT_IF="re0" NETWORK="10.52.91.0/24" SERVER="10.52.91.10" tcp_services="{ ssh }" icmp_types="echoreq" set block-policy return set loginterface none set skip on lo match out on $EXT_IF_1 from $NETWORK nat-to ($EXT_IF_1) match out on $EXT_IF_2 from $NETWORK nat-to ($EXT_IF_2) block log all match in all scrub (no-df max-mss 1440) antispoof quick for { lo $INT_IF } pass in quick on $EXT_IF_1 inet proto tcp to $EXT_IF_1 port $tcp_services keep state reply-to ($EXT_IF_1 $EXT_GATE_1) pass in quick on $EXT_IF_2 inet proto tcp to $EXT_IF_2 port $tcp_services keep state reply-to ($EXT_IF_2 $EXT_GATE_2) anchor "ftp-proxy/*" pass in quick on $EXT_IF_1 inet proto tcp to $EXT_IF_1 port ftp rdr-to 127.0.0.1 port ftp reply-to ($EXT_IF_1 $EXT_GATE_1) pass in quick on $EXT_IF_2 inet proto tcp to $EXT_IF_2 port ftp rdr-to 127.0.0.1 port ftp reply-to ($EXT_IF_2 $EXT_GATE_2) pass in on $INT_IF proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass out on $INT_IF to $NETWORK pass in quick on $INT_IF from $NETWORK to $INT_IF pass in inet proto icmp all icmp-type $icmp_types pass in on $INT_IF from $NETWORK route-to {($EXT_IF_1 $EXT_GATE_1), ($EXT_IF_2 $EXT_GATE_2)} round-robin pass out on $EXT_IF_1 pass out on $EXT_IF_2 pass out on $EXT_IF_1 from $EXT_IF_2 route-to ($EXT_IF_2 $EXT_GATE_2) pass out on $EXT_IF_2 from $EXT_IF_1 route-to ($EXT_IF_1 $EXT_GATE_1)
