View Single Post
  #4   (View Single Post)  
Old 18th April 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,785
Default

I had the impression that your issue was not very regular and only concerned you, hence my advice.

Please note that the following is on OpenBSD. FreeBSD uses an older version of pf and ftp-proxy.
To help in debugging and visualizing what is exactly going on you can do several things:

You can start ftp-proxy with the not-daemonize option -d to stay in the foreground and log to stderr. With the highest debugging level -D7 you get output like:
Code:
#1 client: CWD snapshots\r\n
#1 server: 250 Directory successfully changed.\r\n
#1 client: CWD amd64\r\n
#1 server: 250 Directory successfully changed.\r\n
#1 client: TYPE I\r\n
#1 server: 200 Switching to Binary mode.\r\n
#1 client: SIZE bsd.rd\r\n
#1 server: 213 4205697\r\n
#1 client: EPSV\r\n
#1 server: 229 Entering Extended Passive Mode (|||51575|).\r\n
#1 passive: client to server port 51575 via port 61751
#1 proxy: 229 Entering Extended Passive Mode (|||61751|)\r\n
#1 client: RETR bsd.rd\r\n
#1 server: 150 Opening BINARY mode data connection for bsd.rd (4205697 bytes).\r\n
#1 server: 226 Transfer complete.\r\n
#1 client: MDTM bsd.rd\r\n
With the lower level -D6 you get less:
Code:
root@alix[~]/usr/sbin/ftp-proxy -T FTP_DATA -d -D6

listening on 127.0.0.1 port 8021
#1 FTP session 1/100 started: client 192.168.222.242 to server 213.136.12.213 
   via proxy 192.168.2.3
#1 passive: client to server port 64749 via port 53235
#1 passive: client to server port 36316 via port 51977
#1 passive: client to server port 55342 via port 55731
#1 server close
#1 ending session
You can view the rules that ftp-proxy attaches to the ftp-anchor with a simple script:
Code:
#!/bin/sh
LOG=/var/log/anchor-log

#exec >${LOG} 2>&1
exec >>${LOG} 2>&1

if [ "x$1" = "x" ] ; then
   PAUSE=3
else
   PAUSE=$1
fi

while true ; do 
   date 
   pfctl -a 'ftp-proxy/*' -vvsr
   sleep $PAUSE
done
# ----
To watch the log you run # tail -f /var/log/anchor-log in another xterm.
Code:
Sun Apr 18 22:55:39 CEST 2021
anchor "30846.1" all {
@0 match in on rdomain 0 inet proto tcp from 192.168.222.242 to 213.136.12.213
 port = 60225 flags S/SA keep state (max 1) tag FTP_DATA rtable 0 
  rdr-to 213.136.12.213 port 59339
  [ Evaluations: 33        Packets: 5203      Bytes: 5349616     States: 0     ]
  [ Inserted: uid 109 pid 30846 State Creations: 0     ]
@1 match out on rdomain 0 inet proto tcp from 192.168.222.242 to 213.136.12.213
  port = 59339 flags S/SA keep state (max 1) tag FTP_DATA 
  nat-to 192.168.2.3
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 109 pid 30846 State Creations: 0     ]
}
Keep in mind that in your case, on FreeBSD, the rules will be different ....

BTW On home networks that have an externally ftp server in a DMZ, people run two instances of ftp-proxy (each on a separate port), one for the external clients connecting to the DMZ server. The other one is for local home network users to use ftp servers on the internet.
That makes it easier to manage and create rules. Not sure if that would be helpful in your case.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote