Hi, a couple of quick questions on pf and ftp. I had this working fine
for a couple months and then suddenly it started failing. I had applied
the ftp-reverse-proxy patch to my machine when I initially set this up
and all was working fine. No other changes were made to the machine.
Here's the problem I see:
IIS 5 ftp on a separate machine behind the PF box.
All worked like a charm until about 2 weeks ago. Now when you try to ftp
in you get prompted for a user id and password. You input these and you
get authenticated by the ftp server fine. You are then presented with an
ftp prompt. Once you do a dir or ls to see the file listing it hangs and
just sits there. The ftp server shows the session, with the user logged
in. The only error I can find is user x.x.x.x timed out after x seconds
on the ftp server.
It seems to me that the data connection isn't finding its way back out,
but for some reason the authentication process is. My rule keeps state,
here are the ftp rules I'm using (probably wrapped):
#RDR to FTP server
rdr on $outside proto tcp from any to any port 21 -> $ftp_server port 21
#FTP rules
pass in quick log on $outside proto tcp from any to $ftp_server port {
20, 21 } keep state
pass out quick log on $outside proto tcp from $ftp_server port 1023 ><
5000 to any flags S/SA keep state
(MS ftp uses ports 1023-5000 for passive ftp by default)
I've also tried these in place of the last rule (silly I know but I'm
frustrated)
pass out quick log on $outside proto tcp from $ftp_server to any flags
S/SA keep state
pass out quick log on $outside proto tcp from $ftp_server to any keep
state
I've now upgraded to 3.3, and I am still experiencing the same issue.
Aside from help with the above, does 3.3 need the ftp-reverse-proxy
patch?
Thanks for any assistance.
Wayne
