Hi all, I've found a problem using passive FTP across a PF gateway (PF+NAT). Strangely PF blocks last packets of the control connection.
This is the setup: 3.2-stable - 10.0.0.3 - "make fetch" (lang/egcs/stable) | [int] 10.0.0.1 - pass in/out all 3.2-stable [ext] 10.1.0.1 - pass out all keep state | internet | [ftp.uvsq.fr] 193.51.24.1 I've registered all packets with tcpdump -w on [int] and [ext] interfaces and saved on http://hacking.openbsd.it/pf/ What is the surprise ? 1) Using display filter "tcp.srcport == 21 or tcp.dstport == 21" with ethereal you'll see that on external interface the last 5 packets that say "download complete" are blocked by PF, infact they are missing on internal interface. Why ? Is it a problem with too short state timeout ? I'm using default settings. 2) If I use another application like Lynx instead of "ftp", used by "make fetch", I've no problem. OpenBSD "ftp" receives all the file, but after that freezes waiting for "download finished" packets on control connection, that are blocked by PF. (Also wget seems to be affected). Probably other application, like Lynx, simply close sockets without waiting for such packets. Which is smarter ? Could anyone try something with a -current setup ? Thanks. Ed
