From xdivac02@stud.fit.vutbr.cz  Wed Sep  8 10:31:13 2004
Return-Path: <xdivac02@stud.fit.vutbr.cz>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4F31916A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Sep 2004 10:31:13 +0000 (GMT)
Received: from eva.fit.vutbr.cz (eva.fit.vutbr.cz [147.229.10.14])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1E3D643D1F
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Sep 2004 10:31:12 +0000 (GMT)
	(envelope-from xdivac02@stud.fit.vutbr.cz)
Received: from eva.fit.vutbr.cz (localhost [127.0.0.1])
	by eva.fit.vutbr.cz (8.12.11/8.12.11) with ESMTP id i88AV85p031776
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 8 Sep 2004 12:31:08 +0200 (CEST)
Received: (from xdivac02@localhost)
	by eva.fit.vutbr.cz (8.12.11/8.12.5/Submit) id i88AV7Xj031775;
	Wed, 8 Sep 2004 12:31:07 +0200 (CEST)
Message-Id: <200409081031.i88AV7Xj031775@eva.fit.vutbr.cz>
Date: Wed, 8 Sep 2004 12:31:07 +0200 (CEST)
From: Divacky Roman <xdivac02@stud.fit.vutbr.cz>
Reply-To: Divacky Roman <xdivac02@stud.fit.vutbr.cz>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ftp-proxy or rdr@pf not working
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         71490
>Category:       bin
>Synopsis:       ftp-proxy or rdr@pf not working
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    mlaier
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 08 10:40:24 GMT 2004
>Closed-Date:    Sat Sep 11 15:02:16 GMT 2004
>Last-Modified:  Sat Sep 11 15:02:16 GMT 2004
>Originator:     Divacky Roman
>Release:        FreeBSD 5.3-BETA3 i386
>Organization:
home
>Environment:
FreeBSD queeg500 5.3-BETA3 FreeBSD 5.3-BETA3 #5: Tue Sep  7 13:01:38 CEST 2004
   rdivacky@queeg500:/usr/obj/usr/src/sys/QUEEG  i386


	
>Description:
I've got following problem
with this pf.conf
ext_if="vr0"
int_if="xl0"

#normalize packets
scrub in all

altq on $ext_if bandwidth 256Kb cbq queue {ssh_i web other} 
queue ssh_i bandwidth 25% cbq(borrow ecn)
queue web bandwidth 25% cbq(borrow ecn)
queue other bandwidth 50% cbq(borrow default ecn)

#nat
nat on $ext_if from $int_if:network to any -> ($ext_if)
#ftp redirection
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

#rules
#default to block all
#block in on $ext_if all
#pass all out while keeping state. and queue it
pass out on $ext_if from any to any keep state queue other
#queuing
pass on $ext_if proto tcp from any to any port ssh keep state queue(ssh_i, other)
pass out on $ext_if proto tcp from any to any port http keep state queue web
#ftp proxy
pass in on $ext_if inet proto tcp from any to any user proxy keep state queue other
#allow icmp
pass in on $ext_if inet proto icmp from any to any

(notice that its in fact pass all configuration)
and properly configured inetd to run ftp-proxy I tried to debug inetd
it waited in this
574                 if ((n = select(maxsock + 1, &readable, (fd_set *)0,
(gdb)

then I on the machine behind nat issued ftp command... the select stayed the
same (ie. no packets arrived) and in pfctl -sa I found this:
STATES:
self tcp 127.0.0.1:8021 <- 195.113.15.29:21 <- 10.0.0.2:60059 CLOSED:SYN_SENT
so the connection was established but then died for an unknown reason

so I suppose there's something rotten in pf/ftp-proxy... (since the
configuration is correct)

the fbsd in question is 6-current as of:
witten inetd# uname -a
FreeBSD witten 6.0-CURRENT FreeBSD 6.0-CURRENT #123: Mon Sep  6 15:42:35 CEST
2004     root@witten:/usr/obj/usr/src/sys/NEOLOGISM  i386

but I also got it on releng_5

simply said ftp-proxy (used to provide ftp access to outer ftp for machines
behind nat) doesnt work (at least for me)

thnx for looking at it

>How-To-Repeat:
try to set up ftp-proxy using my pf.conf and use the ftp from machines behind
the nat...

>Fix:

I am not aware of any fix

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->mlaier 
Responsible-Changed-By: mlaier 
Responsible-Changed-When: Wed Sep 8 11:36:59 GMT 2004 
Responsible-Changed-Why:  
pf -> take over. Might be due to the pfil changes for ipfw ... I'll look 
into it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71490 

From: Jiri Mikulas <jiri@mikulas.com>
To: freebsd-gnats-submit@FreeBSD.org, xdivac02@stud.fit.vutbr.cz
Cc:  
Subject: Re: bin/71490: ftp-proxy or rdr@pf not working
Date: Fri, 10 Sep 2004 14:38:58 +0200

 suggest: I think this can be related to IPFIREWALL_FORWARD define since 
 ipfw is now pfil based.
 although I've tried it and it made no difference... just a suggest
State-Changed-From-To: open->feedback 
State-Changed-By: mlaier 
State-Changed-When: Fri Sep 10 21:38:55 GMT 2004 
State-Changed-Why:  
Not reproducible with RELENG_5. rdr works perfectly with CURRENT. 
Please recheck your configuration. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71490 

From: Max Laier <max@love2party.net>
To: freebsd-gnats-submit@FreeBSD.org, xdivac02@stud.fit.vutbr.cz
Cc:  
Subject: Re: bin/71490: ftp-proxy or rdr@pf not working
Date: Fri, 10 Sep 2004 23:30:27 +0200

 This is defiantly *not* an issue with RELENG_5 as of today:
  FreeBSD router.laiers.local 5.3-BETA3 FreeBSD 5.3-BETA3 #0:
  Fri Sep 10 22:04:47 CEST 2004 - i386
 
 I don't see critical commits in CURRENT that have not been MFC'ed yet, so it'd 
 surprise me if ftp-proxy would behave differently in CURRENT. That aside, rdr 
 to localhost does work perfectly in CURRENT (and so does rdr to elsewhere 
 once net.inet.ip.forwarding is enabled).
 
 IPFIREWALL_FORWARD has nothing to do with pf, it only adds additional 
 processing for ipfw specific mbuf tags.
 
 Please recheck your configuration. You might want to post to 
 pf4freebsd@freelists.org to get broader review.
 
 --
  Max
State-Changed-From-To: feedback->closed 
State-Changed-By: mlaier 
State-Changed-When: Sat Sep 11 15:00:50 GMT 2004 
State-Changed-Why:  
Seems to be a setup error. Please use the mailinglist(s) to get further help. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71490 
>Unformatted:
