It looks like it was a tcp windowing problem. The command: "sysctl -w sysctl net.inet.tcp.rfc1323=0" fixed the problem.
Thanks for all of the suggestions and help. On Fri, Jan 8, 2010 at 7:51 AM, M. Keith Thompson <m.keith.thomp...@gmail.com> wrote: > On Thu, Jan 7, 2010 at 10:18 PM, J65nko <j65...@gmail.com> wrote: >> On Thu, Jan 7, 2010 at 10:19 PM, M. Keith Thompson >> <m.keith.thomp...@gmail.com> wrote: >>> On Thu, Jan 7, 2010 at 2:37 PM, J65nko <j65...@gmail.com> wrote: >>>>> # SSH from NetEng subnet >>>>> pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port >>>>> 22 keep state >>>>> >>>>> # Allow inside network to ping the server >>>>> pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep state >>>>> >>>>> # Allow DNS lookups >>>>> pass out quick on $ext_if proto udp to any port 53 >>>>> pass out quick on $ext_if proto tcp to any port 53 keep state >>>>> >>>>> # Allow ftp >>>>> pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep state >>>>> pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 keep >>>>> state >>>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP >>>>> port 20 keep state >>>>> >>>>> --- end of pf.conf ---------------------- >> >> With ftp the client initiates the ftp command channel >> client:port >1023 ---> server:port 21 >> >> The passive ftp data channel is initiated by the client >> client:port >1023 ---> server:port>1023 >> >> Your second rule takes care of this >> >> The active ftp data channel is initiated by the ftp server >> using and that is kind of weird, port 20 (ftp-data), as source port. >> server:port 20 ---> clientLport >1023 >> >> You meant to pass active ftp with this rule: >> >>>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP >>>>> port 20 keep state >> >> But it should be: >> pass out quick on $ext_if inet proto tcp from any port ftp-data >> to $ext_IP port > 10000 keep state > > I will make that change > >> BTW you have a nice pf debug friendly "block log all" default policy. >> Does "tcpdump -eni pflog0" on the pf box show any blocked packets? > > tcpdump of the pflog0 does not show any packets from or to the IP in question. > >> RE: ftp-proxy >> This just adds complexitiy, after everything is working you could add it in. >> >> RE: active ftp user requirement >> Yes, I understand, it is the users who help us pay our mortgage ;) >> > _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
