I should have sent this to pf@ instead of misc@ originally.. Date: Thu, 22 Dec 2005 14:57:59 -0600 To: [email protected] Subject: Weird Issue with FTP and pf(8)
Here's something strange. I'm trying to connect from a pf gateway to an ftp server and it's failing in a very specific manner. Going through the pf gateway works fine using passive mode, but from the gateway itself using ftp(1) doesn't seem to work. Observe: $ ftp ftp.example.org [ login as anonymous ] ftp> ls 229 Entering Extended Passive Mode (|||62283|) 435 Can't build data connection: No such file or directory. ftp> ls 229 Entering Extended Passive Mode (|||50641|) 150 Opening ASCII mode data connection for '/bin/ls'. total 16 drwxr-xr-x 10 1000 1000 512 Nov 15 15:10 OpenBSD 226 Transfer complete. Why would I be getting a failed LIST the first time? This is very reproducable: basically every second time a "dir" or "ls" will work. Here's my pf from the host connecting to the FTP server. The machine these rules are from is 3.8-STABLE). ## blah = "10.18.209.66" binat on $ext_if from 192.168.217.244 to any -> $blah nat on $ext_if from any to any -> ($ext_if) rdr on $wire_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 scrub out all no-df random-id max-mss 1440 fragment reassemble scrub in all no-df min-ttl 2 fragment reassemble block return log all label "any-block-log" block drop log from <idiots> to any block drop in log on ! em0 inet from 10.18.209.0/24 to any label "em0-antispoof" block drop in log on ! em0 inet from 10.18.209.48 to any label "em0-antispoof" block drop in log on em0 inet6 from fe80::20d:56ff:fefa:3b8f to any label "em0-antispoof" block drop in log inet from 10.18.209.79 to any label "any-antispoof" block drop in log inet from 10.18.209.48 to any label "any-antispoof" block drop in log on ! rl0 inet from 192.168.217.240/28 to any label "rl0-antispoof" block drop in log inet from 192.168.217.241 to any label "any-antispoof" block drop in log on rl0 inet6 from fe80::240:f4ff:fe71:8305 to any label "rl0-antispoof" pass out quick proto tcp from any port = ssh to any flags S/SA modulate state queue(ssh_dfl, ssh_pri) pass out quick inet proto tcp from any port = 3128 to any flags A/A keep state queue http pass in on em0 inet proto tcp from any port = ftp-data to (em0) user = 71 flags S/SA keep state label "ftpproxy" pass out quick proto tcp from any port = www to any flags A/A keep state queue httplo pass out quick proto tcp from any port = https to any flags S/SA modulate state queue http pass out quick proto tcp from any port = smtp to any flags S/SA modulate state queue smtp pass out quick proto tcp from any port = domain to any flags S/SA modulate state queue dns_tcp pass out quick proto tcp from any to any port = domain keep state queue dns_tcp pass out quick proto udp from any to any port = domain keep state queue dns_udp pass out quick proto udp from any to any port = ntp keep state queue dns_ntp pass out quick proto tcp all modulate state queue(tcp_dfl, tcp_pri) pass out quick proto udp all keep state queue udp pass out quick inet proto icmp all keep state queue icmp pass out quick inet6 proto ipv6-icmp all keep state queue icmp pass out quick all queue default block return-rst log proto tcp all flags /S queue default block return-rst log proto tcp all flags A/A queue default pass in on rl0 inet proto udp from any to any port = bootps keep state label "rl0-bootps-in" pass in on rl0 inet proto udp from 192.168.217.240/28 to 192.168.217.241 port = domain keep state label "rl0-domain-udp-in" pass in on rl0 inet proto tcp from 192.168.217.240/28 to 192.168.217.241 port = domain modulate state label "rl0-domain-tcp-in" pass in on rl0 inet proto udp from 192.168.217.240/28 to 192.168.217.241 port = ntp keep state label "rl0-ntp-in" pass in inet6 proto ipv6-icmp all icmp6-type toobig pass in inet6 proto ipv6-icmp all icmp6-type paramprob pass in inet6 proto ipv6-icmp all icmp6-type routeradv pass in inet6 proto ipv6-icmp all icmp6-type neighbrsol pass in inet6 proto ipv6-icmp all icmp6-type neighbradv pass in log on rl0 inet6 proto ipv6-icmp all icmp6-type routersol pass in log on rl0 inet6 proto ipv6-icmp all icmp6-type routeradv pass in log inet6 proto ipv6-icmp all icmp6-type echoreq keep state pass in inet proto icmp all icmp-type echoreq keep state pass in proto tcp from any to any port = auth modulate state label "any-identd-in" pass in proto tcp from any to any port = smtp modulate state label "any-smtp-in" pass in quick inet proto tcp from 192.168.217.240/28 to ! 192.168.217.241 flags S/SA modulate state pass in quick inet proto tcp from 192.168.217.240/28 to ! 192.168.217.241 keep state pass in quick inet proto udp from 192.168.217.240/28 to ! 192.168.217.241 keep state pass in quick inet from 192.168.217.240/28 to ! 192.168.217.240/28 keep state pass in quick inet proto tcp from 192.168.217.240/28 to 192.168.217.241 port = ssh modulate state
