random nat, ftp clients and 425: Securiy: Bad IP connecting

Hrvoje Popovski Mon, 27 Feb 2012 13:25:06 -0800

hello everyone,

i'm having problem with ftp communication. when ftp client behindopenbsd 5.0 firewall connects to ftp server or servers

they see 425: Securiy: Bad IP connecting.

openbsd has random nat with pool of /27 public addresess and insidehosts connect through that pool.when ftp-proxy is enabled or nat is configured without random natoption, everything is working like charm. problem is that i need thatcrazy random stuff :)

is there any option to rotate ip adrese per ftp session?

thank you.



pf.conf:
anchor "ftp-proxy/*"

pass in quick on $intif14 inet proto tcp to port ftp divert-to 127.0.0.1port 8021


match out on $outif proto tcp from 10.10.0.0/16 to port 25 nat-to $outif
match out on $outif from <nat01> nat-to 11.11.11.224/27 random
match out on $outif from <nat02> nat-to carp39

block in quick on $outif from <bogus>
block in log on $outif
pass in on $outif inet proto icmp icmp-type $icmp_types
pass in on $outif from <admins>
pass out

anchor "relayd/*"

pass in on $outif inet proto udp to 11.11.11.158 port 1194
pass in on $outif inet proto tcp to <webs> port www

pass in on $outif inet proto tcp to 11.11.11.134 port 8080 rdr-to10.10.13.20pass in on $outif inet proto tcp to 11.11.11.136 port 8888 rdr-to10.10.13.12pass in on $outif inet proto tcp to 11.11.11.136 port { 80 443 } rdr-to10.10.13.14pass in on $outif inet proto tcp to 11.11.11.137 port 80 rdr-to10.10.13.11 port 8000

pass in on $outif inet proto tcp to 11.11.11.137 port 25 rdr-to 10.10.13.25

pass in on $outif inet proto tcp to 11.11.11.138 port { 21 64000:65535 }rdr-to 10.10.13.20pass in on $outif inet proto tcp from <tablica1> to 11.11.11.136 port 25rdr-to 10.10.13.24pass in on $outif inet proto tcp from <tablica2> to 11.11.11.134 port1433 rdr-to 10.10.13.20pass in on $outif inet proto tcp from <tablica3> to 11.11.11.134 port4848 rdr-to 10.10.13.20



log:
ftp server: 22.22.22.22
ftp client: 11.11.11.11

[hrvoje@host01 ~]# ftp 22.22.22.22
Connected to ftp.server
220 (vsFTPd 2.3.2)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
Name (ftp.server:hrvoje): hrvoje
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (22,22,22,22,195,180).
425 Security: Bad IP connecting.
ftp> quit



tcpdump on ftp server:

21:10:55.108307 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [S], seq1823690160, win 5840, options [mss 1460,sackOK,TS val 1372058329 ecr0,nop,wscale 7], length 021:10:55.108376 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [S.], seq2763428539, ack 1823690161, win 5792, options [mss 1460,sackOK,TS val761964500 ecr 1372058329,nop,wscale 7], length 021:10:55.109439 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [.], ack1, win 46, options [nop,nop,TS val 1372058330 ecr 761964500], length 021:10:55.111861 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [P.], seq1:21, ack 1, win 46, options [nop,nop,TS val 761964500 ecr 1372058330],length 2021:10:55.113298 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [.], ack21, win 46, options [nop,nop,TS val 1372058334 ecr 761964500], length 021:10:55.113323 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [P.], seq1:14, ack 21, win 46, options [nop,nop,TS val 1372058334 ecr 761964500],length 1321:10:55.113337 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [.], ack14, win 46, options [nop,nop,TS val 761964501 ecr 1372058334], length 021:10:55.113454 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [P.], seq21:59, ack 14, win 46, options [nop,nop,TS val 761964501 ecr1372058334], length 3821:10:55.114089 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [P.], seq14:32, ack 59, win 46, options [nop,nop,TS val 1372058335 ecr761964501], length 1821:10:55.114155 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [P.], seq59:97, ack 32, win 46, options [nop,nop,TS val 761964501 ecr1372058335], length 3821:10:55.155151 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [.], ack97, win 46, options [nop,nop,TS val 1372058376 ecr 761964501], length 021:10:57.098891 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [P.], seq32:45, ack 97, win 46, options [nop,nop,TS val 1372060320 ecr761964501], length 1321:10:57.099137 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [P.], seq97:131, ack 45, win 46, options [nop,nop,TS val 761964997 ecr1372060320], length 3421:10:57.099962 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [.], ack131, win 46, options [nop,nop,TS val 1372060321 ecr 761964997], length 021:10:59.434184 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [P.], seq45:61, ack 131, win 46, options [nop,nop,TS val 1372062655 ecr761964997], length 1621:10:59.449204 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [P.], seq131:154, ack 61, win 46, options [nop,nop,TS val 761965585 ecr1372062655], length 2321:10:59.450565 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [.], ack154, win 46, options [nop,nop,TS val 1372062671 ecr 761965585], length 021:10:59.450591 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [P.], seq61:67, ack 154, win 46, options [nop,nop,TS val 1372062671 ecr761965585], length 621:10:59.450714 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [P.], seq154:173, ack 67, win 46, options [nop,nop,TS val 761965585 ecr1372062671], length 1921:10:59.491426 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [.], ack173, win 46, options [nop,nop,TS val 1372062713 ecr 761965585], length 021:11:00.574800 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [P.], seq67:73, ack 173, win 46, options [nop,nop,TS val 1372063796 ecr761965585], length 621:11:00.575529 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [P.], seq173:224, ack 73, win 46, options [nop,nop,TS val 761965866 ecr1372063796], length 5121:11:00.576740 IP 11.11.11.249.60279 > 22.22.22.22.37350: Flags [S],seq 1825291796, win 5840, options [mss 1460,sackOK,TS val 1372063798 ecr0,nop,wscale 7], length 021:11:00.576892 IP 22.22.22.22.37350 > 11.11.11.249.60279: Flags [S.],seq 708257433, ack 1825291797, win 5792, options [mss 1460,sackOK,TS val761965867 ecr 1372063798,nop,wscale 7], length 021:11:00.576906 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [.], ack224, win 46, options [nop,nop,TS val 1372063798 ecr 761965866], length 021:11:00.578023 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [P.], seq73:79, ack 224, win 46, options [nop,nop,TS val 1372063799 ecr761965866], length 621:11:00.578038 IP 11.11.11.249.60279 > 22.22.22.22.37350: Flags [.],ack 1, win 46, options [nop,nop,TS val 1372063799 ecr 761965867], length 021:11:00.578611 IP 22.22.22.22.37350 > 11.11.11.249.60279: Flags [F.],seq 1, ack 1, win 46, options [nop,nop,TS val 761965867 ecr 1372063799],length 021:11:00.578749 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [P.], seq224:258, ack 79, win 46, options [nop,nop,TS val 761965867 ecr1372063799], length 3421:11:00.578764 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [P.], seq258:268, ack 79, win 46, options [nop,nop,TS val 761965867 ecr1372063799], length 1021:11:00.578772 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [P.], seq268:273, ack 79, win 46, options [nop,nop,TS val 761965867 ecr1372063799], length 521:11:00.578778 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [P.], seq273:275, ack 79, win 46, options [nop,nop,TS val 761965867 ecr1372063799], length 221:11:00.579679 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [FP.],seq 275:297, ack 79, win 46, options [nop,nop,TS val 761965867 ecr1372063799], length 2221:11:00.579967 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [.], ack275, win 46, options [nop,nop,TS val 1372063801 ecr 761965867], length 021:11:00.580132 IP 11.11.11.249.60279 > 22.22.22.22.37350: Flags [.],ack 2, win 46, options [nop,nop,TS val 1372063801 ecr 761965867], length 021:11:00.620384 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [.], ack298, win 46, options [nop,nop,TS val 1372063842 ecr 761965867], length 021:11:05.453071 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [P.], seq79:85, ack 298, win 46, options [nop,nop,TS val 1372068674 ecr761965867], length 621:11:05.453104 IP 22.22.22.22.ftp > 11.11.11.247.55299: Flags [R], seq2763428837, win 0, length 021:11:05.453116 IP 11.11.11.247.55299 > 22.22.22.22.ftp: Flags [R.], seq85, ack 298, win 46, options [nop,nop,TS val 1372068674 ecr 761965867],length 021:11:05.453121 IP 11.11.11.249.60279 > 22.22.22.22.37350: Flags [F.],seq 1, ack 2, win 46, options [nop,nop,TS val 1372068674 ecr 761965867],length 021:11:05.453129 IP 22.22.22.22.37350 > 11.11.11.249.60279: Flags [.],ack 2, win 46, options [nop,nop,TS val 761967086 ecr 1372068674], length 0




dmesg:
OpenBSD 5.0 (GENERIC.MP) #63: Wed Aug 17 10:14:30 MDT 2011
    dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 6428266496 (6130MB)
avail mem = 6243024896 (5953MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xcf49c000 (78 entries)
bios0: vendor Dell Inc. version "1.6.3" date 02/07/2011
bios0: Dell Inc. PowerEdge R410
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5

acpi0: tables DSDT FACP APIC SPCR HPET DM__ MCFG WD__ SLIC ERST HESTBERT EINJ SRAT TCPA SSDT

acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 32 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5630 @ 2.53GHz, 2527.35 MHz

cpu0:FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 34 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5630 @ 2.53GHz, 2527.00 MHz

cpu1:FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG

cpu1: 256KB 64b/line 8-way L2 cache
cpu2 at mainbus0: apid 50 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5630 @ 2.53GHz, 2527.00 MHz

cpu2:FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG

cpu2: 256KB 64b/line 8-way L2 cache
cpu3 at mainbus0: apid 52 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5630 @ 2.53GHz, 2527.00 MHz

cpu3:FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG

cpu3: 256KB 64b/line 8-way L2 cache
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 20, 24 pins
ioapic1 at mainbus0: apid 1 pa 0xfec80000, version 20, 24 pins
ioapic1: misconfigured as apic 0, remapped to apid 1
acpihpet0 at acpi0: 14318179 Hz
acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEX1)
acpiprt2 at acpi0: bus 2 (PEX3)
acpiprt3 at acpi0: bus 3 (PEX7)
acpiprt4 at acpi0: bus -1 (PEX9)
acpiprt5 at acpi0: bus -1 (PEXA)
acpiprt6 at acpi0: bus -1 (SBEX)
acpiprt7 at acpi0: bus 4 (COMP)
acpicpu0 at acpi0: C3, C1
acpicpu1 at acpi0: C3, C1
acpicpu2 at acpi0: C3, C1
acpicpu3 at acpi0: C3, C1
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 5500 Host" rev 0x13
ppb0 at pci0 dev 1 function 0 "Intel X58 PCIE" rev 0x13
pci1 at ppb0 bus 1
bnx0 at pci1 dev 0 function 0 "Broadcom BCM5716" rev 0x20: apic 1 int 4
bnx1 at pci1 dev 0 function 1 "Broadcom BCM5716" rev 0x20: apic 1 int 16
ppb1 at pci0 dev 3 function 0 "Intel X58 PCIE" rev 0x13
pci2 at ppb1 bus 2
mpi0 at pci2 dev 0 function 0 "Symbios Logic SAS1068E" rev 0x08: msi
scsibus0 at mpi0: 112 targets

sd0 at scsibus0 targ 0 lun 0: <Dell, VIRTUAL DISK, 1028> SCSI3 0/directfixed naa.600508e000000000e6705124f0cfe904

sd0: 139392MB, 512 bytes/sector, 285474816 sectors

ses0 at scsibus0 targ 8 lun 0: <DP, BACKPLANE, 1.07> SCSI3 13/enclosureservices fixed t10.DP_BACKPLANE000000

ppb2 at pci0 dev 7 function 0 "Intel X58 PCIE" rev 0x13: msi
pci3 at ppb2 bus 3

ix0 at pci3 dev 0 function 0 "Intel 10GbE SFP+ (82599)" rev 0x01: msi,address 00:1b:21:9e:6e:a0ix1 at pci3 dev 0 function 1 "Intel 10GbE SFP+ (82599)" rev 0x01: msi,address 00:1b:21:9e:6e:a1

"Intel X58 Misc" rev 0x13 at pci0 dev 20 function 0 not configured
"Intel X58 GPIO" rev 0x13 at pci0 dev 20 function 1 not configured
"Intel X58 RAS" rev 0x13 at pci0 dev 20 function 2 not configured
uhci0 at pci0 dev 26 function 0 "Intel 82801JI USB" rev 0x00: apic 0 int 17
uhci1 at pci0 dev 26 function 1 "Intel 82801JI USB" rev 0x00: apic 0 int 18
ehci0 at pci0 dev 26 function 7 "Intel 82801JI USB" rev 0x00: apic 0 int 19
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
uhci2 at pci0 dev 29 function 0 "Intel 82801JI USB" rev 0x00: apic 0 int 21
uhci3 at pci0 dev 29 function 1 "Intel 82801JI USB" rev 0x00: apic 0 int 20
uhci4 at pci0 dev 29 function 2 "Intel 82801JI USB" rev 0x00: apic 0 int 21
uhci5 at pci0 dev 29 function 3 "Intel 82801JI USB" rev 0x00: apic 0 int 20
ehci1 at pci0 dev 29 function 7 "Intel 82801JI USB" rev 0x00: apic 0 int 21
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x90
pci4 at ppb3 bus 4
vga1 at pci4 dev 3 function 0 "Matrox MGA G200eW" rev 0x0a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 31 function 0 "Intel 82801JIR LPC" rev 0x00

pciide0 at pci0 dev 31 function 2 "Intel 82801JI SATA" rev 0x00: DMA,channel 0 configured to native-PCI, channel 1 configured to native-PCI

pciide0: using apic 0 int 23 for native-PCI interrupt

pciide1 at pci0 dev 31 function 5 "Intel 82801JI SATA" rev 0x00: DMA,channel 0 wired to native-PCI, channel 1 wired to native-PCI

pciide1: using apic 0 int 22 for native-PCI interrupt
atapiscsi0 at pciide1 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets

cd0 at scsibus1 targ 0 lun 0: <TEAC, DVD-ROM DV-28SW, R.2A> ATAPI5/cdrom removable

cd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb6 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb7 at uhci5: USB revision 1.0
uhub7 at usb7 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
mtrr: Pentium Pro MTRR support

uhub8 at uhub0 port 3 "Standard Microsystems product 0x2514" rev2.00/0.00 addr 2uhidev0 at uhub4 port 2 configuration 1 interface 0 "Avocent USBComposite Device-0" rev 1.10/0.00 addr 2

uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0

uhidev1 at uhub4 port 2 configuration 1 interface 1 "Avocent USBComposite Device-0" rev 1.10/0.00 addr 2

uhidev1: iclass 3/1
ums0 at uhidev1: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (962523fdacf1cfbe.a) swap on sd0b dump on sd0b
bnx0: address 84:2b:2b:6d:37:58
brgphy0 at bnx0 phy 1: BCM5709 10/100/1000baseT PHY, rev. 8
bnx1: address 84:2b:2b:6d:37:59
brgphy1 at bnx1 phy 1: BCM5709 10/100/1000baseT PHY, rev. 8

random nat, ftp clients and 425: Securiy: Bad IP connecting

Reply via email to