# pftpx + pf issue



## LaR3 (Jul 14, 2009)

Hello.

I'm trying to setup an ftp-proxy (pftpx) with PF.

I have set up the nat anchors and rdr in pf.conf.

My setup:

```
+-------------+
|   INTERNET  |
+-------------+
       |
       |
       |
+-------------+
|      PF     |
|    pftpx    |
+-------------+
       |
       |
       |
+-------------+
|    PRFTPD   |
+-------------+
```

The client in internet: 52.125.11.51
PF External IP address: 81.157.22.26
FTP Server: 192.168.1.10


The rules in pf added by pftpx:

```
# pfctl -v -a `pfctl -sA -v | grep -v "pftpx$"` -sr; pfctl -vvv -a                                `pfctl -sA -v | grep -v "pftpx$"` -sn
pass in log quick inet proto tcp from 52.125.11.51 to 192.168.1.10 port = 65186 flags S/FSRA keep state (max 1)
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
pass out log quick inet proto tcp from 192.168.1.10 to 192.168.1.10 port = 65186 flags S/FSRA keep state (max 1)
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
@0 nat inet proto tcp from 52.125.11.51 to 192.168.1.10 port = 65186 -> 192.168.1.10
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
@0 rdr inet proto tcp from 52.125.11.51 to 81.157.22.26 port = 53266 -> 192.168.1.10 port 65186
  [ Evaluations: 3         Packets: 2         Bytes: 80          States: 1     ]
```
Proftpd ouput:

```
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'EPSV' to mod_tls
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'EPSV' to mod_rewrite
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'EPSV' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'EPSV' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - dispatching CMD command 'EPSV' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - in dir_check_full(): path = '/', fullpath = '/usr/home/www/test_dir/'.
domain.com (192.168.1.10[192.168.1.10]) - ROOT PRIVS at inet.c:237
domain.com (192.168.1.10[192.168.1.10]) - RELINQUISH PRIVS at inet.c:254
domain.com (192.168.1.10[192.168.1.10]) - Entering Extended Passive Mode (|||65186|)
domain.com (192.168.1.10[192.168.1.10]) - dispatching POST_CMD command 'EPSV' to mod_sql
domain.com (192.168.1.10[192.168.1.10]) - dispatching LOG_CMD command 'EPSV' to mod_sql
domain.com (192.168.1.10[192.168.1.10]) - dispatching LOG_CMD command 'EPSV' to mod_log
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_tls
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_rewrite
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_ratio
domain.com (192.168.1.10[192.168.1.10]) - dispatching CMD command 'LIST' to mod_ls
domain.com (192.168.1.10[192.168.1.10]) - SECURITY VIOLATION: Passive connection from 52.125.11.51 rejected.
```

FTP Client:

```
230 User test_user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||53266|)
421 Service not available, remote server has closed connection.
ftp>
ftp> ^D
```

PFTPX output:

```
#1 server: 230 User test_user logged in\r\n
#1 client: SYST\r\n
#1 server: 215 UNIX Type: L8\r\n
#1 client: FEAT\r\n
#1 server: 211-Features:\n
#1 server:  MDTM\n
#1 server:  MFMT\n
#1 server:  MFF modify;UNIX.group;UNIX.mode;\n
#1 server:  MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;\n
#1 server:  REST STREAM\n
#1 server:  SIZE\r\n
#1 server: 211 End\r\n
#1 client: PWD\r\n
#1 server: 257 "/" is the current directory\r\n
#1 client: EPSV\r\n
#1 server: 229 Entering Extended Passive Mode (|||65186|)\r\n
#1 passive: client to server port 65186 via port 53266
#1 proxy: 229 Entering Extended Passive Mode (|||53266|)\r\n
#1 client: LIST\r\n
^Cpftpx exiting on signal 2
#1 ending session
```


As you can see, pftpx adds correct rules in PF, but the client's IP (52.125.11.51) isn't nated (proftpd complains: Passive connection from 52.125.11.51 rejected). The packets from the client are being redirected to ftp server, but the nat rule isn't applied to them.


----------



## LaR3 (Jul 14, 2009)

I seem to have found the cause. Packets coming on ext_if from client are being redirected to nat-ed ip, but not out on internal/external/loopback interface... so the nat isn't applied.

FreeBSD 6.3-STABLE ... probably bug in pf.

if the ftp server were on another server in internal network, then it'd work properly I suppose.


----------



## vivek (Jul 14, 2009)

can you paste your actual pf.conf rules related to ftp-proxy? I hope ftp-proxy is installed and running on default port.


----------



## LaR3 (Jul 14, 2009)

Hi. The rules are just fine. I reduced the pf.conf to just the macros and the anchors and still won't work.

I forgot to mention that the FTP server runs inside a jail on the same machine, bind to an IP address (alias)from the internal interface.

The setup runs perfectly when the FTP is on a separate machine on the lan because the packets, after being redirected, actualy exit the int_if and the nat rules applies to them.

When the FTP is in a jail, tha packets are being redirected to the jail's IP, but PF doesn't apply the NAT rule to them, because they don't exit any interface apparently (nat rule is: nat inet proto tcp). 

TCPDUMP is only able to record the packts on external interface, but not on loopback, as I was expecting.

So the issue is not with pftpx, but with PF redirecting packets to jail's IP but skipping the loopback (and the kernel, I guess) and the nat rules not being applied to them.


----------



## LaR3 (Jul 14, 2009)

FreeBSD 6.4-STABLE (just upgraded from 6.3).


----------

