pf.conf, ftp-proxy & not working ftp in active mode

Hello,

OpenBSD 3.6, pf, NAT. When trying to connect to outside ftp server in active mode, i get :

---8<----------------------------------------------------
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 EPRT command successful

(after a minute)

425 Unable to build data connection: Connection timed out
---8<----------------------------------------------------

After 'pfctl -F all', ftp works in active mode, too, although only from localhost :)

Configuration:
/etc/inetd.conf
127.0.0.1:8021 stream tcp       nowait  root    /usr/libexec/ftp-proxy ftp-proxy

/etc/pf.conf
nat on $ext_IF from <hosts> to any -> $ext_IF
rdr on $int_IF inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block all
pass out on $ext_IF inet proto tcp from <hosts> to any flags S/SA modulate state
pass out on $ext_IF inet proto udp from <hosts> to any keep state
pass out on $ext_IF inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_IF inet proto tcp from port 20 to ($ext_IF) \
    user proxy flags S/SA keep state


After adding
pass in on $ext_IF proto tcp from any to $ext_IF port >= 49152 \
    flags S/SA keep state

active mode FTP works from localhost, but not from LAN computers. From them i get:

---8<----------------------------------------------------
230 Anonymous access granted, restrictions apply.
ftp> ls
200 PORT command successful
Connection closed by remote host.
---8<----------------------------------------------------

Any ideas what i have missed?
LVL 6
tapkepAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jjk16Commented:
check your firewall, ive seen issue before usually has to do with ports 20 and 21, here is my post
as i had the same problem...

it has some good reading on active, passive

http://www.experts-exchange.com/Hardware/Routers/Q_21045493.html

although the unix/free bsd variable is always there so i will yield authority to any *nix gurus but this looks like a ports/firewall issue.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tapkepAuthor Commented:
It *is* firewall issue. I tried to follow examples provided on OpenBSD page and elsewhere, but still firewall does not work as supposed.
0
tapkepAuthor Commented:
Just realized, that there is Security/Firewalls topic :-/
Anyway, if the question will be answered here - i will accept it too.

jjk16: i have studied your question with answer. Still don't know what part i am missing in my configuration.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

jjk16Commented:
rdr on $int_IF inet proto tcp from any to any port 20 -> 127.0.0.1 port 8020      

try adding that, i dont think the ftp-data(port 20) connections isnt opening( i do not know the exact syntax for your firewall conf file

almost positive its port 20 is not allowed past the firewall to your ftp server

"With FTP, you're dealing with two separate connections. One initiated by you to the server, and another that's initiated by the server to you. These are two discretely different tcp sessions."

0
tapkepAuthor Commented:
Stupid mistakes are most difficult to detect :)
All i needed was  'block on $ext_IF all'  instead of  'block all'. Now when i know what should be done, i will be able to tighten rules.

BTW, quite nice howto is http://www.aei.ca/~pmatulis/pub/obsd_ftp.html
0
tapkepAuthor Commented:
Right now, raw configuration is:
/etc/pf.conf:
------------------------------------------------------------------------------
ext_IF  = "de0"
int_IF  = "rl0"
int_net = "xxx.xxx.xxx.0/24"
all_IF  = "{" $ext_IF $int_IF "}"

table <hosts> { 127.0.0.1, xxx.xxx.xxx.xxx }
isp_dns  = "{ xxx.xxx.xxx.xxx }"

scrub in all

nat on $ext_IF from <hosts> to any -> $ext_IF

# FTP proxy (for outgoing connections)
rdr on $int_IF inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021

antispoof for $ext_IF

block on $ext_IF all

block return-rst in log on $ext_IF inet proto tcp from any to any port = 113
block in quick on $all_IF inet proto tcp  from any  to any  flags PUF/PUF
block in quick on $all_IF inet from any to $int_IF:broadcast

pass out on $ext_IF inet proto tcp from <hosts> to any flags S/SA modulate state
pass out on $ext_IF inet proto udp from <hosts> to any keep state
pass out on $ext_IF inet proto icmp all icmp-type 8 code 0 keep state

pass in on $ext_IF inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_IF inet proto tcp from any port 20 to \
    $ext_IF port >= 49152 user proxy flags S/SA keep state
pass out on $ext_IF inet proto tcp from $ext_IF to any \
    port 20 flags S/AUPRFS modulate state

pass in on $int_IF all keep state
0
jjk16Commented:
thanks for the post, hopefull this will help someone else as well
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.