Bug #863
closedfloating rules breaks passive mode ftp
0%
Description
I have a floating rule that allows port 21 traffic to an ftp server, and later on a catch-all floating rule to deny all other traffic to that server's subnet, both have "quick" option set. This causes the ftp proxy to break (the port 21 connection works, but passive mode connections are blocked). A similar rule configuration for inbound traffic on an interface works fine, just the floating rules have the problem.
Files
Updated by Jesse Norell over 14 years ago
Sorry, this is on 2.0-BETA4 from Aug 30.
Updated by Ermal Luçi over 14 years ago
Please show traces of traffic.
Provide either rules screenshots or the /tmp/rules.debug content.
And please also specify what ftp-proxy is?
Updated by Jesse Norell over 14 years ago
- File packetcapture_3_.cap packetcapture_3_.cap added
Please show traces of traffic.
See attached pcap file. That is me connecting/logging in to the ftp server, issuing the "passive" command, then attempting a directory listing. In passive mode ftp, the ftp server tells the client what port to connect to to receive data (either file contents or in this case the directory listing), which was port 39898 in this case - the last two packets show my client trying to connect to port 39898 as the server instructed, but pfsense sent a RST instead of allowing the connection.
Provide either rules screenshots or the /tmp/rules.debug content.
This is the most reduced test case I can think of, and is from the rules in use at the time the attached packet capture was taken:
$ cat /tmp/rules.debug #System aliases loopback = "{ lo0 }" WAN = "{ re0 }" LAN = "{ re1 }" #SSH Lockout Table table <sshlockout> persist #Snort2C table table <snort2c> table <virusprot> # User Aliases # Gateways GWWANGW = " route-to ( re0 64.187.71.1 ) " set loginterface re0 set loginterface re1 set optimization normal set limit states 97000 set skip on pfsync0 scrub in on $WAN all fragment reassemble scrub in on $LAN all fragment reassemble nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" table <direct_networks> { 64.187.71.0/24 64.187.65.72/30 } # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" anchor "firewallrules" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log all label "Default deny rule" block out log all label "Default deny rule" # We use the mighty pf, we cannot be fooled. block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # Block all IPv6 block in quick inet6 all block out quick inet6 all # snort2c block quick from <snort2c> to any label "Block snort2c hosts" block quick from any to <snort2c> label "Block snort2c hosts" # package manager early specific hook anchor "packageearly" # carp anchor "carp" # SSH lockout block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout" block in quick from <virusprot> to any label "virusprot overload table" antispoof for re0 antispoof for re1 # allow access to DHCP server on LAN anchor "dhcpserverLAN" pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in on $LAN proto udp from any port = 68 to 64.187.65.73 port = 67 label "allow access to DHCP server" pass out on $LAN proto udp from 64.187.65.73 port = 67 to any port = 68 label "allow access to DHCP server" anchor "spoofing" # loopback anchor "loopback" pass in on $loopback all label "pass loopback" pass out on $loopback all label "pass loopback" anchor "firewallout" # let out anything from the firewall host itself and decrypted IPsec traffic pass out all keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( re0 64.187.71.1 ) from 64.187.71.4 to !64.187.71.0/24 keep state allow-opts label "let out anything from firewall host itself" # make sure the user cannot lock himself out of the webConfigurator or SSH anchor "anti-lockout" pass in quick on re1 from any to (re1) keep state label "anti-lockout rule" # User-defined rules follow pass out quick on { re1 } proto tcp from any to 64.187.65.72/30 port 21 flags S/SA keep state label "USER_RULE: Allow connections to FTP server" block return out log quick on { re1 } from any to any label "USER_RULE: default reject all" pass in quick on $WAN reply-to ( re0 64.187.71.1 ) from any to any keep state label "USER_RULE" pass in quick on $LAN from 64.187.65.72/30 to any keep state label "USER_RULE: Default allow LAN to any rule" # WANLAN Incominh array key does not exist for label "USER_RULE" # WANLAN Incominh array key does not exist for label "USER_RULE" # VPN Rules # package manager late specific hook anchor "packagelate" anchor "tftp-proxy/*" anchor "limitingesr" # uPnPd anchor "miniupnpd"
And please also specify what ftp-proxy is?
Perhaps "ftp helper" is more accurate. pfSense 1.2 had a user-space ftp proxy application to make the various ports/connections in the different ftp modes work, but a touted feature of 2.0 is "LIBALIAS based in-kernel FTP helper" .. from what I gather it "just works" now, with no configuration to do; and it does work for interface rules, just not floating rules.
Updated by Ermal Luçi over 14 years ago
Can you show me an pfctl -vvss when this happens.
Seems the automatic handling might be creating the state wrongly for the data traffic.
Updated by Jesse Norell over 14 years ago
This is pfctl -vvss output (note the data connection was 64.187.64.40:56329 -> 64.187.65.74:41768 this time):
$ pfctl -vvss all icmp 64.187.71.4:27192 -> 64.187.71.1 0:0 age 00:02:56, expires in 00:00:09, 173:172 pkts, 11072:11008 bytes id: 4c7d77bc00000000 creatorid: 7581b730 all udp 64.187.71.4:36250 -> 70.86.250.6:123 MULTIPLE:MULTIPLE age 00:02:41, expires in 00:00:00, 9:9 pkts, 684:684 bytes, rule 32 id: 4c7d77bc00000011 creatorid: 02ecc9b1 all udp 64.187.71.4:55960 -> 67.18.187.111:123 MULTIPLE:MULTIPLE age 00:02:41, expires in 00:00:05, 9:9 pkts, 684:684 bytes, rule 32 id: 4c7d77bc00000012 creatorid: 02ecc9b1 all tcp 64.187.65.73:443 <- 64.187.65.74:50924 FIN_WAIT_2:FIN_WAIT_2 [2637432600 + 64128] wscale 3 [2306417932 + 66607] wscale 6 age 00:02:40, expires in 00:00:00, 149:205 pkts, 13009:202847 bytes, rule 34 id: 4c7d77bc00000013 creatorid: 02ecc9b1 all tcp 64.187.65.73:443 <- 64.187.65.74:50925 FIN_WAIT_2:FIN_WAIT_2 [2999960964 + 64128] wscale 3 [2301946297 + 66607] wscale 6 age 00:02:40, expires in 00:00:32, 140:205 pkts, 16141:162625 bytes, rule 34 id: 4c7d77bc00000014 creatorid: 02ecc9b1 all tcp 64.187.65.73:443 <- 64.187.65.74:50927 FIN_WAIT_2:FIN_WAIT_2 [328449356 + 62592] wscale 3 [2305667688 + 66607] wscale 6 age 00:02:40, expires in 00:00:00, 81:112 pkts, 10770:77231 bytes, rule 34 id: 4c7d77bc00000016 creatorid: 02ecc9b1 all tcp 64.187.65.73:443 <- 64.187.65.74:50928 FIN_WAIT_2:FIN_WAIT_2 [1562102134 + 64128] wscale 3 [2313936231 + 66607] wscale 6 age 00:02:40, expires in 00:00:00, 144:186 pkts, 14094:169815 bytes, rule 34 id: 4c7d77bc00000017 creatorid: 02ecc9b1 all tcp 64.187.65.73:443 <- 64.187.65.74:34909 FIN_WAIT_2:FIN_WAIT_2 [3475447758 + 48576] wscale 3 [3926143046 + 66607] wscale 6 age 00:00:57, expires in 00:01:17, 39:51 pkts, 2760:64837 bytes, rule 34 id: 4c7d77bc00000026 creatorid: 02ecc9b1 all udp 255.255.255.255:67 <- 0.0.0.0:68 NO_TRAFFIC:SINGLE age 00:00:56, expires in 00:00:12, 5:0 pkts, 1640:0 bytes, rule 23 id: 4c7d77bc00000027 creatorid: 02ecc9b1 all tcp 64.187.65.74:21 <- 64.187.64.40:52913 ESTABLISHED:ESTABLISHED [163893870 + 6912] wscale 6 [2567153661 + 5824] wscale 6 age 00:00:23, expires in 23:59:55, 14:14 pkts, 768:1675 bytes, rule 37 id: 4c7d77bc00000028 creatorid: 02ecc9b1 all tcp 64.187.64.40:52913 -> 64.187.65.74:21 ESTABLISHED:ESTABLISHED [2567153661 + 5824] wscale 6 [163893870 + 6912] wscale 6 age 00:00:23, expires in 23:59:55, 14:14 pkts, 768:1675 bytes, rule 35 id: 4c7d77bc00000029 creatorid: 02ecc9b1 all udp 64.187.64.4:53 <- 64.187.65.74:48937 SINGLE:MULTIPLE age 00:00:23, expires in 00:00:07, 1:1 pkts, 71:165 bytes, rule 38 id: 4c7d77bc0000002a creatorid: 02ecc9b1 all udp 64.187.65.74:48937 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:23, expires in 00:00:07, 1:1 pkts, 71:165 bytes, rule 31 id: 4c7d77bc0000002b creatorid: 02ecc9b1 all udp 64.187.64.4:53 <- 64.187.65.74:53085 SINGLE:MULTIPLE age 00:00:23, expires in 00:00:07, 1:1 pkts, 58:142 bytes, rule 38 id: 4c7d77bc0000002c creatorid: 02ecc9b1 all udp 64.187.65.74:53085 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:23, expires in 00:00:07, 1:1 pkts, 58:142 bytes, rule 31 id: 4c7d77bc0000002d creatorid: 02ecc9b1 all udp 255.255.255.255:68 <- 64.187.71.4:67 NO_TRAFFIC:SINGLE age 00:00:14, expires in 00:00:16, 2:0 pkts, 656:0 bytes, rule 37 id: 4c7d77bc0000002e creatorid: 02ecc9b1 all tcp 64.187.64.40:41768 -> 64.187.65.74 LISTEN:LISTEN [0 + 0] [0 + 0] age 00:00:05, expires in 00:01:55, 0:0 pkts, 0:0 bytes, rule 35 id: 4c7d77bc0000002f creatorid: 02ecc9b1 all tcp 64.187.65.74:41768 <- 64.187.64.40:56329 CLOSED:SYN_SENT [0 + 0] [3274366635 + 2] age 00:00:05, expires in 00:01:55, 1:0 pkts, 60:0 bytes, rule 37 id: 4c7d77bc00000030 creatorid: 02ecc9b1 all udp 255.255.255.255:68 <- 192.168.19.1:67 NO_TRAFFIC:SINGLE age 00:00:04, expires in 00:00:56, 1:0 pkts, 328:0 bytes, rule 37 id: 4c7d77bc00000031 creatorid: 02ecc9b1 all tcp 64.187.65.73:443 <- 64.187.65.74:34910 ESTABLISHED:ESTABLISHED [3953796794 + 6470] wscale 3 [520588873 + 66608] wscale 6 age 00:00:01, expires in 24:00:00, 5:5 pkts, 1824:864 bytes, rule 34 id: 4c7d77bc00000032 creatorid: 02ecc9b1
Updated by Jesse Norell over 14 years ago
I'm not familiar with exactly what that output is, but it looks like this:
all tcp 64.187.64.40:41768 -> 64.187.65.74 LISTEN:LISTEN [0 + 0] [0 + 0] age 00:00:05, expires in 00:01:55, 0:0 pkts, 0:0 bytes, rule 35 id: 4c7d77bc0000002f creatorid: 02ecc9b1
May be what's wrong - it should be listening for any port on the client (64.187.64.40), going to dst port 41768 on the server (64.187.65.74). Ie. just like what happened in this closed connection:
all tcp 64.187.65.74:41768 <- 64.187.64.40:56329 CLOSED:SYN_SENT [0 + 0] [3274366635 + 2] age 00:00:05, expires in 00:01:55, 1:0 pkts, 60:0 bytes, rule 37 id: 4c7d77bc00000030 creatorid: 02ecc9b1
I'll note the floating rule was set on the "out" direction of the LAN interface, maybe something is tripped up because of that?
Updated by Ermal Luçi over 14 years ago
- Status changed from New to Feedback
Test with the latest snapshot.
Updated by Jesse Norell over 14 years ago
Tested with:
2.0-BETA4 (i386)
built on Wed Sep 1 11:07:08 EDT 2010
FreeBSD 8.1-RELEASE
And has the same problem; pfctl output (port 52220 was the passive connection attempt) is:
$ pfctl -vvss all icmp 64.187.71.4:41782 -> 64.187.71.1 0:0 age 00:01:21, expires in 00:00:10, 82:80 pkts, 5248:5120 bytes id: 4c7ecae000000000 creatorid: 3dc26165 all tcp 127.0.0.1:56899 -> 127.0.0.1:443 FIN_WAIT_2:FIN_WAIT_2 [392395085 + 71679] wscale 3 [1209201555 + 71680] wscale 3 age 00:01:20, expires in 00:00:11, 141:140 pkts, 8423:24464 bytes id: 4c7ecae000000001 creatorid: 3dc26165 all tcp 127.0.0.1:443 <- 127.0.0.1:56899 FIN_WAIT_2:FIN_WAIT_2 [1209201555 + 71680] wscale 3 [392395085 + 71679] wscale 3 age 00:01:20, expires in 00:00:11, 141:140 pkts, 8423:24464 bytes id: 4c7ecae000000002 creatorid: 3dc26165 all tcp 64.187.65.73:443 <- 64.187.65.74:33647 ESTABLISHED:ESTABLISHED [603715598 + 44998] wscale 3 [2179479804 + 66608] wscale 6 age 00:01:10, expires in 24:00:00, 193:1037 pkts, 16854:213592 bytes, rule 34 id: 4c7ecae000000014 creatorid: ead363b1 all udp 64.187.71.4:14507 -> 169.229.70.95:123 MULTIPLE:MULTIPLE age 00:01:09, expires in 00:00:31, 7:7 pkts, 532:532 bytes, rule 32 id: 4c7ecae000000017 creatorid: ead363b1 all udp 64.187.71.4:26291 -> 65.18.173.237:123 MULTIPLE:MULTIPLE age 00:01:09, expires in 00:00:34, 7:7 pkts, 532:532 bytes, rule 32 id: 4c7ecae000000019 creatorid: ead363b1 all tcp 64.187.71.4:22135 -> 69.64.6.6:80 FIN_WAIT_2:FIN_WAIT_2 [3904347340 + 66608] wscale 3 [772943292 + 66607] wscale 3 age 00:01:05, expires in 00:00:25, 6:4 pkts, 435:548 bytes, rule 32 id: 4c7ecae00000001c creatorid: ead363b1 all tcp 64.187.65.74:21 <- 64.187.64.40:42382 ESTABLISHED:ESTABLISHED [2888768655 + 6912] wscale 6 [1429839149 + 5824] wscale 6 age 00:00:24, expires in 23:59:44, 19:18 pkts, 1062:2013 bytes, rule 37 id: 4c7ecae00000001d creatorid: ead363b1 all tcp 64.187.64.40:42382 -> 64.187.65.74:21 ESTABLISHED:ESTABLISHED [1429839149 + 5824] wscale 6 [2888768655 + 6912] wscale 6 age 00:00:24, expires in 23:59:44, 19:18 pkts, 1062:2013 bytes, rule 35 id: 4c7ecae00000001e creatorid: ead363b1 all udp 64.187.64.4:53 <- 64.187.65.74:58189 SINGLE:MULTIPLE age 00:00:24, expires in 00:00:06, 1:1 pkts, 71:165 bytes, rule 38 id: 4c7ecae00000001f creatorid: ead363b1 all udp 64.187.65.74:58189 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:24, expires in 00:00:06, 1:1 pkts, 71:165 bytes, rule 31 id: 4c7ecae000000020 creatorid: ead363b1 all udp 64.187.64.4:53 <- 64.187.65.74:46982 SINGLE:MULTIPLE age 00:00:24, expires in 00:00:06, 1:1 pkts, 58:142 bytes, rule 38 id: 4c7ecae000000021 creatorid: ead363b1 all udp 64.187.65.74:46982 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:24, expires in 00:00:06, 1:1 pkts, 58:142 bytes, rule 31 id: 4c7ecae000000022 creatorid: ead363b1 all tcp 64.187.64.40 -> 64.187.65.74:53237 -> 64.187.65.74:53237 LISTEN:LISTEN [0 + 0] [0 + 0] age 00:00:19, expires in 00:01:41, 0:0 pkts, 0:0 bytes, rule 37 id: 4c7ecae000000023 creatorid: ead363b1 all tcp 64.187.65.74 <- 64.187.64.40:53237 <- 64.187.64.40:53237 LISTEN:LISTEN [0 + 0] [0 + 0] age 00:00:19, expires in 00:01:41, 0:0 pkts, 0:0 bytes, rule 35 id: 4c7ecae000000024 creatorid: ead363b1 all tcp 64.187.64.40:53237 <- 64.187.65.74:20 FIN_WAIT_2:FIN_WAIT_2 [2215058851 + 5888] wscale 6 [2975066593 + 5824] wscale 6 age 00:00:19, expires in 00:01:11, 5:3 pkts, 336:164 bytes, rule 38 id: 4c7ecae000000025 creatorid: ead363b1 all tcp 64.187.65.74:20 -> 64.187.64.40:53237 FIN_WAIT_2:FIN_WAIT_2 [2975066593 + 5824] wscale 6 [2215058851 + 5888] wscale 6 age 00:00:19, expires in 00:01:11, 5:3 pkts, 336:164 bytes, rule 31 id: 4c7ecae000000026 creatorid: ead363b1 all udp 64.187.64.4:53 <- 64.187.65.74:54708 SINGLE:MULTIPLE age 00:00:19, expires in 00:00:11, 1:1 pkts, 71:165 bytes, rule 38 id: 4c7ecae000000027 creatorid: ead363b1 all udp 64.187.65.74:54708 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:19, expires in 00:00:11, 1:1 pkts, 71:165 bytes, rule 31 id: 4c7ecae000000028 creatorid: ead363b1 all udp 64.187.64.4:53 <- 64.187.65.74:57624 SINGLE:MULTIPLE age 00:00:19, expires in 00:00:11, 1:1 pkts, 58:142 bytes, rule 38 id: 4c7ecae000000029 creatorid: ead363b1 all udp 64.187.65.74:57624 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:19, expires in 00:00:11, 1:1 pkts, 58:142 bytes, rule 31 id: 4c7ecae00000002a creatorid: ead363b1 all udp 255.255.255.255:68 <- 64.187.71.4:67 NO_TRAFFIC:SINGLE age 00:00:17, expires in 00:00:29, 3:0 pkts, 984:0 bytes, rule 37 id: 4c7ecae00000002b creatorid: ead363b1 all tcp 64.187.64.40:52220 -> 64.187.65.74 LISTEN:LISTEN [0 + 0] [0 + 0] age 00:00:16, expires in 00:01:44, 0:0 pkts, 0:0 bytes, rule 35 id: 4c7ecae00000002c creatorid: ead363b1 all tcp 64.187.65.74:52220 <- 64.187.64.40:59514 CLOSED:SYN_SENT [0 + 0] [1103004965 + 2] age 00:00:16, expires in 00:01:44, 1:0 pkts, 60:0 bytes, rule 37 id: 4c7ecae00000002d creatorid: ead363b1 all igmp 224.0.0.1 <- 64.187.71.182 NO_TRAFFIC:SINGLE age 00:00:00, expires in 00:01:00, 1:0 pkts, 28:0 bytes, rule 37 id: 4c7ecae00000002e creatorid: ead363b1
Updated by Jesse Norell over 14 years ago
Testing with:
2.0-BETA4 (i386)
built on Mon Sep 6 22:04:59 EDT 2010
FreeBSD 8.1-RELEASE
It still doesn't work, but this output looks a little different (port 45132 was the passive connection attempt):
$ pfctl -vvss all icmp 64.187.71.5:43321 -> 64.187.71.1 0:0 age 00:03:55, expires in 00:00:09, 233:232 pkts, 14912:14848 bytes id: 4c866c7900000000 creatorid: af1446cf all tcp 64.187.65.73:80 <- 64.187.65.74:54047 ESTABLISHED:ESTABLISHED [1670440525 + 64128] wscale 3 [240482193 + 66608] wscale 6 age 00:03:36, expires in 24:00:00, 122:143 pkts, 13500:101629 bytes, rule 30 id: 4c866c790000000e creatorid: 0745b67e all tcp 64.187.65.73:80 <- 64.187.65.74:54048 ESTABLISHED:ESTABLISHED [3786568118 + 44608] wscale 3 [240816435 + 66608] wscale 6 age 00:03:35, expires in 23:59:55, 39:38 pkts, 8549:11410 bytes, rule 30 id: 4c866c790000000f creatorid: 0745b67e all tcp 64.187.64.17:22 <- 64.187.65.74:39023 ESTABLISHED:ESTABLISHED [491294868 + 10560] wscale 3 [485107982 + 12128] wscale 6 age 00:03:20, expires in 23:59:45, 21:23 pkts, 2988:2940 bytes, rule 34 id: 4c866c7900000015 creatorid: 0745b67e all tcp 64.187.65.74:39023 -> 64.187.64.17:22 ESTABLISHED:ESTABLISHED [485107982 + 12128] wscale 6 [491294868 + 10560] wscale 3 age 00:03:20, expires in 23:59:45, 21:23 pkts, 2988:2940 bytes, rule 27 id: 4c866c7900000016 creatorid: 0745b67e all tcp 64.187.65.74:57000 -> 208.67.216.142:443 TIME_WAIT:TIME_WAIT [1604535991 + 66570] wscale 6 [2142832574 + 57088] wscale 3 age 00:02:09, expires in 00:00:00, 34:25 pkts, 7064:15315 bytes, rule 27 id: 4c866c7900000059 creatorid: 0745b67e all tcp 208.67.216.142:443 <- 64.187.65.74:57001 TIME_WAIT:TIME_WAIT [2853920501 + 42176] wscale 3 [1600863429 + 66570] wscale 6 age 00:02:09, expires in 00:00:00, 31:22 pkts, 6940:9214 bytes, rule 34 id: 4c866c790000005a creatorid: 0745b67e all tcp 64.187.65.74:57001 -> 208.67.216.142:443 TIME_WAIT:TIME_WAIT [1600863429 + 66570] wscale 6 [2853920501 + 42176] wscale 3 age 00:02:09, expires in 00:00:00, 31:22 pkts, 6940:9214 bytes, rule 27 id: 4c866c790000005b creatorid: 0745b67e all tcp 72.233.44.61:80 <- 64.187.65.74:42101 FIN_WAIT_2:FIN_WAIT_2 [2990036220 + 34816] wscale 9 [1623044115 + 16896] wscale 6 age 00:02:07, expires in 00:00:21, 23:15 pkts, 6495:4688 bytes, rule 34 id: 4c866c790000006e creatorid: 0745b67e all tcp 64.187.65.74:42101 -> 72.233.44.61:80 FIN_WAIT_2:FIN_WAIT_2 [1623044115 + 16896] wscale 6 [2990036220 + 34816] wscale 9 age 00:02:07, expires in 00:00:21, 23:15 pkts, 6495:4688 bytes, rule 27 id: 4c866c790000006f creatorid: 0745b67e all tcp 72.233.44.61:80 <- 64.187.65.74:42102 FIN_WAIT_2:FIN_WAIT_2 [3537404028 + 31936] wscale 9 [1636518306 + 15872] wscale 6 age 00:02:07, expires in 00:00:06, 21:14 pkts, 5847:4364 bytes, rule 34 id: 4c866c7900000070 creatorid: 0745b67e all tcp 64.187.65.74:42102 -> 72.233.44.61:80 FIN_WAIT_2:FIN_WAIT_2 [1636518306 + 15872] wscale 6 [3537404028 + 31936] wscale 9 age 00:02:07, expires in 00:00:06, 21:14 pkts, 5847:4364 bytes, rule 27 id: 4c866c7900000071 creatorid: 0745b67e all tcp 72.233.44.61:80 <- 64.187.65.74:42103 FIN_WAIT_2:FIN_WAIT_2 [2523849067 + 28288] wscale 9 [1634695580 + 15872] wscale 6 age 00:02:07, expires in 00:00:21, 21:17 pkts, 5808:5839 bytes, rule 34 id: 4c866c7900000072 creatorid: 0745b67e all tcp 64.187.65.74:42103 -> 72.233.44.61:80 FIN_WAIT_2:FIN_WAIT_2 [1634695580 + 15872] wscale 6 [2523849067 + 28288] wscale 9 age 00:02:07, expires in 00:00:21, 21:17 pkts, 5808:5839 bytes, rule 27 id: 4c866c7900000073 creatorid: 0745b67e all tcp 72.233.44.61:80 <- 64.187.65.74:42104 FIN_WAIT_2:FIN_WAIT_2 [3919777058 + 31936] wscale 9 [1636825586 + 15872] wscale 6 age 00:02:07, expires in 00:00:06, 22:15 pkts, 5849:5734 bytes, rule 34 id: 4c866c7900000074 creatorid: 0745b67e all tcp 64.187.65.74:42104 -> 72.233.44.61:80 FIN_WAIT_2:FIN_WAIT_2 [1636825586 + 15872] wscale 6 [3919777058 + 31936] wscale 9 age 00:02:07, expires in 00:00:06, 22:15 pkts, 5849:5734 bytes, rule 27 id: 4c866c7900000075 creatorid: 0745b67e all tcp 72.233.44.61:80 <- 64.187.65.74:42105 FIN_WAIT_2:FIN_WAIT_2 [3754521725 + 22976] wscale 9 [1639416829 + 12288] wscale 6 age 00:02:07, expires in 00:00:06, 16:11 pkts, 4038:3299 bytes, rule 34 id: 4c866c7900000076 creatorid: 0745b67e all tcp 64.187.65.74:42105 -> 72.233.44.61:80 FIN_WAIT_2:FIN_WAIT_2 [1639416829 + 12288] wscale 6 [3754521725 + 22976] wscale 9 age 00:02:07, expires in 00:00:06, 16:11 pkts, 4038:3299 bytes, rule 27 id: 4c866c7900000077 creatorid: 0745b67e all tcp 72.233.44.61:80 <- 64.187.65.74:42106 FIN_WAIT_2:FIN_WAIT_2 [2703743372 + 31936] wscale 9 [1626880173 + 15872] wscale 6 age 00:02:07, expires in 00:00:21, 22:16 pkts, 5860:5774 bytes, rule 34 id: 4c866c7900000078 creatorid: 0745b67e all tcp 64.187.65.74:42106 -> 72.233.44.61:80 FIN_WAIT_2:FIN_WAIT_2 [1626880173 + 15872] wscale 6 [2703743372 + 31936] wscale 9 age 00:02:07, expires in 00:00:21, 22:16 pkts, 5860:5774 bytes, rule 27 id: 4c866c7900000079 creatorid: 0745b67e all tcp 209.85.225.139:80 <- 64.187.65.74:57582 ESTABLISHED:ESTABLISHED [579123601 + 8768] wscale 6 [2523764321 + 8064] wscale 6 age 00:01:10, expires in 23:58:50, 4:3 pkts, 1412:1151 bytes, rule 34 id: 4c866c7900000091 creatorid: 0745b67e all tcp 64.187.65.74:57582 -> 209.85.225.139:80 ESTABLISHED:ESTABLISHED [2523764321 + 8064] wscale 6 [579123601 + 8768] wscale 6 age 00:01:10, expires in 23:58:50, 4:3 pkts, 1412:1151 bytes, rule 27 id: 4c866c7900000092 creatorid: 0745b67e all igmp 224.0.0.1 <- 64.187.71.182 NO_TRAFFIC:SINGLE age 00:01:03, expires in 00:00:00, 1:0 pkts, 28:0 bytes, rule 33 id: 4c866c7900000093 creatorid: 0745b67e all udp 255.255.255.255:68 <- 64.187.71.4:67 NO_TRAFFIC:SINGLE age 00:01:02, expires in 00:00:00, 1:0 pkts, 328:0 bytes, rule 33 id: 4c866c7900000094 creatorid: 0745b67e all tcp 64.187.65.74:21 <- 64.187.64.40:32940 ESTABLISHED:ESTABLISHED [3086052795 + 6912] wscale 6 [57851658 + 5824] wscale 6 age 00:00:35, expires in 23:59:31, 19:20 pkts, 1062:2116 bytes, rule 33 id: 4c866c7900000095 creatorid: 0745b67e all tcp 64.187.64.40:32940 -> 64.187.65.74:21 ESTABLISHED:ESTABLISHED [57851658 + 5824] wscale 6 [3086052795 + 6912] wscale 6 age 00:00:35, expires in 23:59:31, 19:20 pkts, 1062:2116 bytes, rule 31 id: 4c866c7900000096 creatorid: 0745b67e all tcp 64.187.64.40 -> 64.187.65.74:53367 -> 64.187.65.74:53367 LISTEN:LISTEN [0 + 0] [0 + 0] age 00:00:32, expires in 00:01:28, 0:0 pkts, 0:0 bytes, rule 33 id: 4c866c790000009b creatorid: 0745b67e all tcp 64.187.65.74:53367 <- 64.187.64.40:53367 <- 64.187.64.40 LISTEN:LISTEN [0 + 0] [0 + 0] age 00:00:32, expires in 00:01:28, 0:0 pkts, 0:0 bytes, rule 31 id: 4c866c790000009c creatorid: 0745b67e all tcp 64.187.64.40:53367 <- 64.187.65.74:20 FIN_WAIT_2:FIN_WAIT_2 [3106962232 + 5888] wscale 6 [3137179148 + 5824] wscale 6 age 00:00:32, expires in 00:00:58, 5:3 pkts, 336:164 bytes, rule 34 id: 4c866c790000009d creatorid: 0745b67e all tcp 64.187.65.74:20 -> 64.187.64.40:53367 FIN_WAIT_2:FIN_WAIT_2 [3137179148 + 5824] wscale 6 [3106962232 + 5888] wscale 6 age 00:00:32, expires in 00:00:58, 5:3 pkts, 336:164 bytes, rule 27 id: 4c866c790000009e creatorid: 0745b67e all udp 64.187.64.4:53 <- 64.187.65.74:54392 SINGLE:MULTIPLE age 00:00:32, expires in 00:00:00, 1:1 pkts, 71:165 bytes, rule 34 id: 4c866c790000009f creatorid: 0745b67e all udp 64.187.65.74:54392 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:32, expires in 00:00:00, 1:1 pkts, 71:165 bytes, rule 27 id: 4c866c79000000a0 creatorid: 0745b67e all udp 64.187.64.4:53 <- 64.187.65.74:59026 SINGLE:MULTIPLE age 00:00:32, expires in 00:00:00, 1:1 pkts, 58:142 bytes, rule 34 id: 4c866c79000000a1 creatorid: 0745b67e all udp 64.187.65.74:59026 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:32, expires in 00:00:00, 1:1 pkts, 58:142 bytes, rule 27 id: 4c866c79000000a2 creatorid: 0745b67e all tcp 64.187.64.40:45132 -> 64.187.65.74 LISTEN:LISTEN [0 + 0] [0 + 0] age 00:00:29, expires in 00:01:31, 0:0 pkts, 0:0 bytes, rule 31 id: 4c866c79000000a3 creatorid: 0745b67e all tcp 64.187.65.74 <- 64.187.65.74:45132 <- 64.187.64.40:45132 LISTEN:LISTEN [0 + 0] [0 + 0] age 00:00:29, expires in 00:01:31, 0:0 pkts, 0:0 bytes, rule 33 id: 4c866c79000000a4 creatorid: 0745b67e all tcp 64.187.65.74:45132 <- 64.187.64.40:46770 CLOSED:SYN_SENT [0 + 1] [3497388019 + 2] age 00:00:29, expires in 00:01:31, 1:0 pkts, 60:0 bytes, rule 33 id: 4c866c79000000a5 creatorid: 0745b67e all udp 64.187.64.4:53 <- 64.187.65.74:41235 SINGLE:MULTIPLE age 00:00:02, expires in 00:00:28, 1:1 pkts, 75:160 bytes, rule 34 id: 4c866c79000000a6 creatorid: 0745b67e all udp 64.187.65.74:41235 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:02, expires in 00:00:28, 1:1 pkts, 75:160 bytes, rule 27 id: 4c866c79000000a7 creatorid: 0745b67e all udp 64.187.64.4:53 <- 64.187.65.74:49660 SINGLE:MULTIPLE age 00:00:02, expires in 00:00:28, 1:1 pkts, 75:262 bytes, rule 34 id: 4c866c79000000a8 creatorid: 0745b67e all udp 64.187.65.74:49660 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:02, expires in 00:00:28, 1:1 pkts, 75:262 bytes, rule 27 id: 4c866c79000000a9 creatorid: 0745b67e all tcp 74.125.162.164:80 <- 64.187.65.74:43611 ESTABLISHED:ESTABLISHED [3695470236 + 40896] wscale 6 [3606132736 + 7872] wscale 6 age 00:00:02, expires in 23:59:59, 99:104 pkts, 6965:152828 bytes, rule 34 id: 4c866c79000000aa creatorid: 0745b67e all tcp 64.187.65.74:43611 -> 74.125.162.164:80 ESTABLISHED:ESTABLISHED [3606132736 + 7872] wscale 6 [3695470236 + 40896] wscale 6 age 00:00:02, expires in 23:59:59, 99:104 pkts, 6965:152828 bytes, rule 27 id: 4c866c79000000ab creatorid: 0745b67e
Updated by Ermal Luçi about 14 years ago
This should be ok on latest snapshots as confirmed by others.
Please confirm or this will be put to resolved status.
Updated by Jesse Norell about 14 years ago
Tested with latest snapshot (2.0-BETA 4 (i386) built on Tue Dec 21 12:44:54 EST 2010), and still not working. Active mode ftp works, passive mode does not.
$ pfctl -vvss all icmp 64.187.71.5:22089 -> 64.187.71.1 0:0 age 00:00:28, expires in 00:00:09, 28:28 pkts, 1792:1792 bytes, rule 22 id: 4d123f09000000de creatorid: f982436b all tcp 64.187.65.73:80 <- 64.187.65.74:45857 ESTABLISHED:ESTABLISHED [108517432 + 64128] wscale 3 [958062932 + 66568] wscale 6 age 00:00:25, expires in 24:00:00, 34:33 pkts, 5256:37003 bytes, rule 24 id: 4d123f09000000df creatorid: f982436b all udp 255.255.255.255:67 <- 0.0.0.0:68 NO_TRAFFIC:SINGLE age 00:00:23, expires in 00:00:29, 2:0 pkts, 656:0 bytes, rule 28 id: 4d123f09000000e0 creatorid: f982436b all udp 255.255.255.255:68 <- 64.187.71.4:67 NO_TRAFFIC:SINGLE age 00:00:23, expires in 00:00:29, 3:0 pkts, 984:0 bytes, rule 28 id: 4d123f09000000e1 creatorid: f982436b all udp 64.6.144.6:123 <- 64.187.65.74:123 SINGLE:MULTIPLE age 00:00:18, expires in 00:00:12, 1:1 pkts, 76:76 bytes, rule 29 id: 4d123f09000000e2 creatorid: f982436b all udp 64.187.65.74:123 -> 64.6.144.6:123 MULTIPLE:SINGLE age 00:00:18, expires in 00:00:12, 1:1 pkts, 76:76 bytes, rule 22 id: 4d123f09000000e3 creatorid: f982436b all udp 255.255.255.255:68 <- 172.19.0.2:67 NO_TRAFFIC:SINGLE age 00:00:18, expires in 00:00:42, 1:0 pkts, 328:0 bytes, rule 28 id: 4d123f09000000e4 creatorid: f982436b all udp 67.202.107.55:123 <- 64.187.65.74:123 SINGLE:MULTIPLE age 00:00:10, expires in 00:00:20, 1:1 pkts, 76:76 bytes, rule 29 id: 4d123f09000000e5 creatorid: f982436b all udp 64.187.65.74:123 -> 67.202.107.55:123 MULTIPLE:SINGLE age 00:00:10, expires in 00:00:20, 1:1 pkts, 76:76 bytes, rule 22 id: 4d123f09000000e6 creatorid: f982436b all tcp 64.187.65.74:21 <- 64.187.64.40:39872 ESTABLISHED:ESTABLISHED [1208096112 + 6912] wscale 6 [307474235 + 5824] wscale 6 age 00:00:09, expires in 23:59:57, 14:13 pkts, 774:1431 bytes, rule 28 id: 4d123f09000000e7 creatorid: f982436b all tcp 64.187.64.40:39872 -> 64.187.65.74:21 ESTABLISHED:ESTABLISHED [307474235 + 5824] wscale 6 [1208096112 + 6912] wscale 6 age 00:00:09, expires in 23:59:57, 14:13 pkts, 774:1431 bytes, rule 26 id: 4d123f09000000e8 creatorid: f982436b all udp 64.187.64.4:53 <- 64.187.65.74:54218 SINGLE:MULTIPLE age 00:00:09, expires in 00:00:21, 1:1 pkts, 71:165 bytes, rule 29 id: 4d123f09000000e9 creatorid: f982436b all udp 64.187.65.74:54218 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:09, expires in 00:00:21, 1:1 pkts, 71:165 bytes, rule 22 id: 4d123f09000000ea creatorid: f982436b all udp 64.187.64.4:53 <- 64.187.65.74:48692 SINGLE:MULTIPLE age 00:00:09, expires in 00:00:21, 1:1 pkts, 58:142 bytes, rule 29 id: 4d123f09000000eb creatorid: f982436b all udp 64.187.65.74:48692 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:09, expires in 00:00:21, 1:1 pkts, 58:142 bytes, rule 22 id: 4d123f09000000ec creatorid: f982436b all tcp 64.187.64.40:47798 -> 64.187.65.74 LISTEN:LISTEN [0 + 0] [0 + 0] age 00:00:03, expires in 00:01:57, 0:0 pkts, 0:0 bytes, rule 26 id: 4d123f09000000ed creatorid: f982436b all tcp 64.187.65.74:47798 <- 64.187.64.40:54976 CLOSED:SYN_SENT [0 + 0] [1640765136 + 2] age 00:00:03, expires in 00:01:57, 1:1 pkts, 60:88 bytes, rule 28 id: 4d123f09000000ee creatorid: f982436b
To refresh (at least my) memory on what's what here, 64.187.64.40 was my ftp client, coming in the WAN, and 64.187.65.74 is my ftp server on the LAN. I have one rule allowing everything in the WAN interface, and 2 floating rules outbound on LAN interface, the first allows port 21, the second denies everything else. (The port 21 connection works, just the passive mode ftp data connection does not.) I am not using NAT.
In the above (last 2 entries), port 47798 was the ftp data connection; the all tcp 64.187.64.40:47798 -> 64.187.65.74 LISTEN:LISTEN
has it listed as the source port of my client when it is in fact the destination port of the server for that connection (all tcp 64.187.65.74:47798 <- 64.187.64.40:54976 CLOSED:SYN_SENT
is from the connection attempt my client actually made).
Also testing in the other direction also fails, though differently (conversely?). With the same rules as above, I ran an ftp client from 64.187.65.74, and there I can use passive mode ftp, but I can not use active mode.
Updated by Chris Buechler almost 14 years ago
- Status changed from Feedback to New
Updated by Ermal Luçi almost 14 years ago
Well its a bug per se but i would not consider it critical for 2.0.
Its rather unusual to filter outgoing on a box that is why it was a second thought to finish this.
Updated by Ermal Luçi almost 14 years ago
- Target version changed from 2.0 to Future
Updated by Ermal Luçi almost 14 years ago
- Status changed from New to Feedback
Try a newer snapshot than the date of this post it should fix the issue.
although this is not target for 2.0 the fix was needed for other cases so this was a byproduct of that.
Updated by Jesse Norell almost 14 years ago
There is some improvement, I can now use an ftp client on LAN in both passive or active mode, but still can't use passive mode to an ftp server on the LAN. This is with 2.0-BETA5 (i386) built on Wed Jan 19 02:10:47 EST 2011.
The behavior on the network is quite different now. My ftp control connection (port 21) worked fine, and active connections work fine, but when I changed to passive mode and tried a directory listing, the data connection actually succeeded (this was previously being reset), but the control connection was immediately reset (tcp RST to 64.187.64.40:34808).
$ pfctl -vvss all icmp 64.187.71.5:53072 -> 64.187.71.1 0:0 age 00:00:36, expires in 00:00:10, 37:37 pkts, 2368:2368 bytes, rule 26 id: 4d371c240000025c creatorid: ef5db833 all tcp 64.187.65.73:80 <- 64.187.65.74:44055 ESTABLISHED:ESTABLISHED [1504293832 + 40640] wscale 3 [1348139511 + 66496] wscale 6 age 00:00:25, expires in 24:00:00, 18:17 pkts, 3055:18142 bytes, rule 28 id: 4d371c240000025d creatorid: ef5db833 all tcp 64.187.65.74:21 <- 64.187.64.40:34808 ESTABLISHED:ESTABLISHED [1510363712 + 6912] wscale 6 [1418967415 + 5824] wscale 6 age 00:00:13, expires in 23:59:54, 14:15 pkts, 769:1757 bytes, rule 32 id: 4d371c240000025e creatorid: ef5db833 all tcp 64.187.64.40:34808 -> 64.187.65.74:21 ESTABLISHED:ESTABLISHED [1418967415 + 5824] wscale 6 [1510363712 + 6861] wscale 6 age 00:00:13, expires in 23:59:54, 13:14 pkts, 717:1677 bytes, rule 30 id: 4d371c240000025f creatorid: ef5db833 all udp 64.187.64.4:53 <- 64.187.65.74:54290 SINGLE:MULTIPLE age 00:00:13, expires in 00:00:17, 1:1 pkts, 71:165 bytes, rule 33 id: 4d371c2400000260 creatorid: ef5db833 all udp 64.187.65.74:54290 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:13, expires in 00:00:17, 1:1 pkts, 71:165 bytes, rule 26 id: 4d371c2400000261 creatorid: ef5db833 all udp 64.187.64.4:53 <- 64.187.65.74:53727 SINGLE:MULTIPLE age 00:00:13, expires in 00:00:17, 1:1 pkts, 58:142 bytes, rule 33 id: 4d371c2400000262 creatorid: ef5db833 all udp 64.187.65.74:53727 -> 64.187.64.4:53 MULTIPLE:SINGLE age 00:00:13, expires in 00:00:17, 1:1 pkts, 58:142 bytes, rule 26 id: 4d371c2400000263 creatorid: ef5db833 all udp 69.65.40.29:123 <- 64.187.65.74:123 SINGLE:MULTIPLE age 00:00:12, expires in 00:00:18, 1:1 pkts, 76:76 bytes, rule 33 id: 4d371c2400000264 creatorid: ef5db833 all udp 64.187.65.74:123 -> 69.65.40.29:123 MULTIPLE:SINGLE age 00:00:12, expires in 00:00:18, 1:1 pkts, 76:76 bytes, rule 26 id: 4d371c2400000265 creatorid: ef5db833 all udp 72.18.205.157:123 <- 64.187.65.74:123 SINGLE:MULTIPLE age 00:00:11, expires in 00:00:20, 1:1 pkts, 76:76 bytes, rule 33 id: 4d371c2400000266 creatorid: ef5db833 all udp 64.187.65.74:123 -> 72.18.205.157:123 MULTIPLE:SINGLE age 00:00:11, expires in 00:00:20, 1:1 pkts, 76:76 bytes, rule 26 id: 4d371c2400000267 creatorid: ef5db833 all tcp 64.187.64.40:56319 -> 64.187.65.74:52979 FIN_WAIT_2:ESTABLISHED [1076337581 + 5824] wscale 6 [1631839020 + 5888] wscale 6 age 00:00:06, expires in 00:14:54, 3:2 pkts, 164:112 bytes, rule 30 id: 4d371c2400000268 creatorid: ef5db833 all tcp 64.187.65.74:52979 <- 64.187.64.40:56319 ESTABLISHED:FIN_WAIT_2 [1631839020 + 5888] wscale 6 [1076337581 + 5824] wscale 6 age 00:00:06, expires in 00:14:54, 3:2 pkts, 164:112 bytes, rule 32 id: 4d371c2400000269 creatorid: ef5db833
Here was the what my ftp client saw happen (port 52979 was the data connection, 64.187.64.40 is my client on WAN, 64.187.65.74 is my ftp server on LAN, 64.187.71.5 is the pfsense WAN addr):
10:42:48.082820 IP 64.187.64.40.34808 > 64.187.65.74.21: Flags [P.], seq 28:34, ack 448, win 108, options [nop,nop,TS val 17743743 ecr 2082528], length 6 10:42:48.084804 IP 64.187.65.74.21 > 64.187.64.40.34808: Flags [P.], seq 448:499, ack 34, win 91, options [nop,nop,TS val 2083333 ecr 17743743], length 51 10:42:48.084850 IP 64.187.64.40.34808 > 64.187.65.74.21: Flags [.], ack 499, win 108, options [nop,nop,TS val 17743743 ecr 2083333], length 0 10:42:48.084921 IP 64.187.64.40.56319 > 64.187.65.74.52979: Flags [S], seq 852796517, win 5840, options [mss 1460,sackOK,TS val 17743743 ecr 0,nop,wscale 6], length 0 10:42:48.086302 IP 64.187.65.74.21 > 64.187.64.40.34808: Flags [R.], seq 499, ack 34, win 0, length 0 10:42:48.086552 IP 64.187.71.5 > 64.187.64.40: ICMP host 64.187.65.74 unreachable, length 60 10:42:48.086561 IP 64.187.65.74.52979 > 64.187.64.40.56319: Flags [S.], seq 1631839019, ack 852796518, win 5792, options [mss 1380,sackOK,TS val 2083333 ecr 17743743,nop,wscale 6], length 0 10:42:48.086586 IP 64.187.64.40.56319 > 64.187.65.74.52979: Flags [.], ack 1, win 92, options [nop,nop,TS val 17743743 ecr 2083333], length 0 10:42:48.086644 IP 64.187.64.40.56319 > 64.187.65.74.52979: Flags [F.], seq 1, ack 1, win 92, options [nop,nop,TS val 17743743 ecr 2083333], length 0 10:42:48.093547 IP 64.187.65.74.52979 > 64.187.64.40.56319: Flags [.], ack 2, win 91, options [nop,nop,TS val 2083335 ecr 17743743], length 0 ^C
Updated by Chris Buechler over 11 years ago
- Status changed from Feedback to Closed