I upgraded an OpenBSD firewall from 4.4 -> 4.5 -> 4.6 in one go, and am
noticing that the ftp-proxy is only working sporadically. I keep getting
"Can't build data connection: illegal port number" errors when attempting to
ftp from a machine inside a NAT to a machine outside the NAT. I thought this
was a problem with the ftp-proxy settings, but I've tried both ftp-proxy with
and without the "-r" option. I have this problem when connecting several
different ftp servers, including ftp.openbsd.org.
It is strange. It seems that every 3rd connection or so seems to work. The
pf.conf has been setup with the anchor rules as per the man page. The fact
that every so many attempts at a connection DOES work makes me think that
perhaps my setup is correct.
Any ideas? This was working properly in 4.4.
The only modification to the pf.conf info from the ftp-proxy man page is
this:
rdr pass on $int_if proto tcp from $int_net to any port 21 -> \
127.0.0.1 port 8021
pass out proto tcp from $proxied_if to any port 21
(where $proxied_if replaces $proxy and represents the external interface)
Here's what I'm running from an OS X machine inside the NAT:
ftp -a ftp.openbsd.org
And here's the debug output from the ftp-proxy.
$ sudo /usr/sbin/ftp-proxy -q bulk -d -D 7
listening on 127.0.0.1 port 8021
#1 accepted connection from 192.168.19.4
#1 FTP session 1/100 started: client 192.168.19.4 to server 129.128.5.191 via
proxy (external ip)
#1 server: 220 openbsd.srv.ualberta.ca FTP server ready.\r\n
#1 client close
#1 ending session
#2 accepted connection from 192.168.19.4
#2 FTP session 1/100 started: client 192.168.19.4 to server 129.128.5.191 via
proxy (external ip)
#2 server: 220 openbsd.srv.ualberta.ca FTP server ready.\r\n
#2 client: USER anonymous\r\n
#2 server: 331 Guest login ok, send your email address as password.\r\n
#2 client: PASS sata...@\r\n
#2 server: 230- Welcome to ftp.openbsd.org at the University of Alberta
\r\n
#2 server: 230- in Edmonton, Alberta, Canada.\r\n
#2 server: 230- For other mirror sites visit
http://www.openbsd.org/ftp.html\r\n
#2 server: 230- \r\n
#2 server: 230- _____ ____ _____ _____\r\n
#2 server: 230- / ___ \\ | _ \\ / ____| __ \\\r\n
#2 server: 230- / / / /___ ___ ____ | |_) | (___ | | | |\r\n
#2 server: 230- / / / / __ \\/ _ \\/ __ \\| _ < \\___ \\| | | |\r\n
#2 server: 230- / /__/ / /_/ / __/ / / /| |_) |____) | |__| |\r\n
#2 server: 230- \\_____/ .___/\\___/_/ /_/ |____/|_____/|_____/\r\n
<snip>
#2 server: 230- \r\n
#2 server: 230- *DO NOT* mirror openbsd from this site! use one of the\r\n
#2 server: 230- "second level mirrors" listed at
http://www.openbsd.org/ftp.html\r\n
#2 server: 230- instead of this site. If you mirror from this site you will
lose \r\n
#2 server: 230- access to it.\r\n
#2 server: 230- \r\n
#2 server: 230- E-mail comments, questions, trouble reports, and
complaints\r\n
#2 server: 230- to b...@openbsd.org. Please drive safely.\r\n
#2 server: 230- \r\n
#2 server: 230 Guest login ok, access restrictions apply.\r\n
#2 client: SYST\r\n
#2 server: 215 UNIX Type: L8 Version: BSD-199306\r\n
#2 client: FEAT\r\n
#2 server: 500 'FEAT': command not understood.\r\n
#2 client: PWD\r\n
#2 server: 257 "/" is current directory.\r\n
#2 client: EPSV\r\n
#2 server: 229 Entering Extended Passive Mode (|||53188|)\r\n
#2 passive: client to server port 53188 via port 51221
#2 proxy: 229 Entering Extended Passive Mode (|||51221|)\r\n
#2 client: LIST\r\n
#2 server: 435 Can't build data connection: illegal port number\r\n
#2 client: EPSV\r\n
#2 server: 229 Entering Extended Passive Mode (|||64075|)\r\n
#2 passive: client to server port 64075 via port 52491
#2 proxy: 229 Entering Extended Passive Mode (|||52491|)\r\n
#2 client: LIST\r\n
#2 server: 150 Opening ASCII mode data connection for '/bin/ls'.\r\n
#2 server: 226 Transfer complete.\r\n
#2 client: CWD pub\r\n
#2 server: 250 CWD command successful.\r\n
#2 client: PWD\r\n
#2 server: 257 "/pub" is current directory.\r\n
#2 client: EPSV\r\n
#2 server: 229 Entering Extended Passive Mode (|||53365|)\r\n
#2 passive: client to server port 53365 via port 50995
#2 proxy: 229 Entering Extended Passive Mode (|||50995|)\r\n
#2 client: LIST\r\n
#2 server: 435 Can't build data connection: illegal port number\r\n
#2 client: EPSV\r\n
#2 server: 229 Entering Extended Passive Mode (|||56168|)\r\n
#2 passive: client to server port 56168 via port 60721
#2 proxy: 229 Entering Extended Passive Mode (|||60721|)\r\n
#2 client: LIST\r\n
#2 server: 435 Can't build data connection: illegal port number\r\n
#2 client: EPSV\r\n
<etc>
