Hi! On 5.2-stable, I'm trying to setup the stock ftpd(8) on a machine where the incoming traffic is not allowed arbitrarily above net.inet.ip.porthifirst, and the clients wish to use passive mode data connections. I thought I could use ftp-proxy(8) to append a pass in rule to the ftp-proxy anchor every time the client issues a PASV command, allowing the passive inbound data connection from the client to the server. I'm running ftp-proxy(8) and ftpd(8) like this: /usr/sbin/ftp-proxy -D 7 -b <server_ip> -p <custom_ftp_port> -R 127.0.0.1 -P 21 /usr/libexec/ftpd -D -A -ll -4 -n -W -u 027 -d [-P] # I've tried with and without -P
... and I have this pass in rule in pf.conf for the proxy: pass in on $ext_if inet proto tcp from any to $server_ip port <custom_ftp_port> Although ftpd(8) listens on *.21, pf(4) won't allow connections to port 21, only <custom_ftp_port>, which is what I wanted. The clients can connect and log-in alright, but issuing a directory listing and trying to connect using passive mode fails. So it happens, that the client's ftp client retries continually to build up the data connection, so I can follow it in the logs and `pfctl -a "ftp-proxy/*" -sr`. The rules are changing in the anchor, so ftp-proxy updates it, and this is what I see many times again and again in /var/log/ftpd: ftpd[21372]: command: PASV ftpd[21372]: <--- 227 Entering Passive Mode (127,0,0,1,245,74) ftpd[21372]: command: LIST ftpd[21372]: <--- 425 Can't build data connection: illegal port number ftpd[21372]: command: PASV ftpd[21372]: <--- 227 Entering Passive Mode (127,0,0,1,216,51) ftpd[21372]: command: LIST ftpd[21372]: <--- 425 Can't build data connection: illegal port number ftpd[21372]: command: PASV ftpd[21372]: <--- 227 Entering Passive Mode (127,0,0,1,232,17) ftpd[21372]: command: LIST ftpd[21372]: <--- 425 Can't build data connection: illegal port number ftpd[21372]: command: PASV ftpd[21372]: <--- 227 Entering Passive Mode (127,0,0,1,217,88) ftpd[21372]: command: LIST ftpd[21372]: <--- 425 Can't build data connection: illegal port number ftpd[21372]: command: PASV ftpd[21372]: <--- 227 Entering Passive Mode (127,0,0,1,226,231) ftpd[21372]: command: LIST ftpd[21372]: <--- 425 Can't build data connection: illegal port number AFAIK the passive ports that the client negotiates with ftp-proxy differ from the ones that ftp-proxy uses with the ftp server, so there can not be collisions. But evidently I'm missing something here, or I've just stared at the ip addresses and port numbers too long. Any insight would be very much appreciated, thanks, Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
