Dear Listers The installation here is
OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 On this OpenBSD we essentially have a pf firewall and an ftp Proxy running. The ftp Proxy transfers to an internal ftp server. So far, everything worked OK. Then, a fortnight ago, we started to change the backbone ISP, so we had to change IP addresses. That's were trouble started: ftp access from the Internet is limited to approx two days after a system reboot, e.g. I rebooted the system the day before yesterday, then everything was fine, from the Internet we could open connections to the ftp server at our wish. But from this morning, from the Internet, no ftp connection to the ftp server is possible any more. I usually do a traceroute on the pflog of the firewall to check to see, whether the packet, which initiates the call to the ftp proxy, passes OK. Yes, it does pass the firewall. Behind that, I do a ktrace/kdump of the corresponding ftp proxy process, and yes, the ftp proxy does NOT react on any incoming call. I then connect to an outside host (which is in the same subnet like the external interface of the firewall) via ssh, and, no problem, from there, ftp connections to the ftp server via the firewall are possible. The firewall configuration is as follows: [r...@firewall ~]$ firewall.sh nat no nat on rl0 inet from any to 192.168.97.0/24 nat on rl0 from ! (rl0) to any -> (rl0:0) nat-anchor "ftp-proxy/*" all rdr-anchor "ftp-proxy/*" all rdr pass on vr0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8022 rdr on rl0 inet proto tcp from ! <unwanted_ftp> to any port = ftp -> 127.0.0.1 port 8021 [r...@firewall ~]$ The last rdr rule does the forwarding from the hosts we allow access from the ftp port to port 8021 on the localhost, where the ftp proxy listens. r...@firewall ~]$ firewall.sh rules scrub in all fragment reassemble block drop in log all block drop in log quick on rl0 proto tcp from <unwanted_ftp> to any pass quick on vr0 all flags S/SA keep state pass log quick on rl0 inet proto tcp from any to 127.0.0.1 port = 8021 flags S/SA keep state pass log quick on rl0 inet proto udp from 192.168.97.0/24 to any port = snmp keep state pass quick on rl0 inet proto icmp all icmp-type echoreq keep state pass in quick on rl0 inet proto tcp from 192.168.97.0/24 to any port = 8080 flags S/SA synproxy state pass in quick on rl0 inet proto tcp from 192.168.97.0/24 to any port = https flags S/SA synproxy state pass in quick on rl0 inet proto tcp from 192.168.97.0/24 to any port = www flags S/SA synproxy state pass in quick on rl0 inet proto tcp from 192.168.97.0/24 to any port = smtp flags S/SA synproxy state pass out all flags S/SA keep state anchor "ftp-proxy/*" all block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! vr0 inet from 192.168.97.0/24 to any block drop in quick inet from 192.168.97.2 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on vr0 inet6 from fe80::216:17ff:fe6e:dc0e to any [r...@firewall ~]$ the fifth line allows packages on port 8021 to pass through. The first dump shows, that the connection from the host in the same subnet as the external interface of the firewall, is possible: [myu...@otherhost ~]$ ftp ftx.mydomain.com Connected to ftx.mydomain.com (aaa.bbb.206.130). 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 12:08. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. Name (ftx.mydomain.com:myuser): joe 331 User joe OK. Password required Password: 230-User joe has group access to: webdesign 230 OK. Current directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221-Goodbye. You uploaded 0 and downloaded 0 kbytes. 221 Logout. [myu...@otherhost ~]$ Now, I move a workstation down in the Internet doing a dial-up. I get the IP Address ccc.ddd.217.153, which is not in <unwanted_ftp>: [r...@firewall ~]$ grep "ccc.ddd.217.153" /etc/unwanted_ftp [r...@firewall ~]$ then I invoke ftp from the above address: r...@rosetta ~]# ftp ftx.mydomain.com ftp: connect: Connection timed out ftp> quit [r...@rosetta Meanwhile, on the firewall I peep into the pflog: tcpdump: listening on pflog0, link-type PFLOG Feb 08 12:18:53.483352 rule 4/(match) [uid 0, pid 15736] pass in on rl0: ccc.ddd.217.153.52580 > 127.0.0.1.8021: S [tcp sum ok] (src OS: Linux 2.6 .1-7, Linux 2.4) 710621706:710621706(0) win 5840 <mss 1452,sackOK,timestamp 42953264 0,nop,wscale 5> (DF) (ttl 55, id 20538, len 60, bad cksum 23dc! differs by b424) NOTE that tcpdump records a bad checksum in the respective packet. But this bad checksum is in the pflog and not on the interface as far as I have been instructed when googling around. and the ktrace/kdump combination shows that: [r...@firewall ~]$ kdump -l 24163 ftp-proxy EMUL "native" ^C [r...@firewall ~]$ nothing happens, no action on the ftp-proxy side. What do I miss in this config? After I reboot the firewall, ftp connections from the Internet into the ftp server are possible for quite some time, and then - at once - no more. suomi
