Re: FTP problems
This is a discussion on Re: FTP problems within the IPFilter forums, part of the System Security and Security Related category; hi paul, do you have a "catch-all" return-rst last rule such as > block return-rst ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-25-2003
|
|||
|
|||
Re: FTP problems
hi paul, do you have a "catch-all" return-rst last rule such as > block return-rst in log proto tcp all if so, read on... from http://www.phildev.net/ipf/ see http://www.phildev.net/ipf/IPFprob.html#9 which is a condensed version of http://marc.theaimsgroup.com/?l=ipfi...4715121908&w=2 these blocked ACKs > 15:10:15.610768 12x qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP, > 38578 PR tcp len 20 52 -A 771141878 669733519 32148 IN are indicative of the problem above. jim Paul Mackey wrote: > Hi, > > I have a box with IP Filter (v3.4.31, Solaris 8, Sun 420) running along > with an FTP proxy (jftpgw). > > client -> idmz: | FW | :edmz -> FTP server > > The client logs into the proxy by connecting to the IDMZ interface on > the firewall. He then logs into the FTP server with anonymous@FTP > Server. This goes fine. Listings can be done and the data channel can be > established. > > When trying to send up a large file ~ 100MB the upload starts ok and > seems to keep working but all of a sudden the state closes down and > traffic from the FTP server is denied. > > I have map rules on top of ipnat.conf as follows: > > map qfe0 0/0 -> 0/32 proxy port 21 ftp/tcp > map qfe5 0/0 -> 0/32 proxy port 21 ftp/tcp > > I have FTP passive/active port range open: > > # > # FTP proxy Passive > # > block in quick on qfe0 proto tcp from any to IDMZ-IP port = 20 head 460 > group 2 > pass in log first quick on qfe0 proto tcp from any to IDMZ-IP port > 32767 >< 49152 flags S keep state group 460 > block in log first quick on qfe0 from any to any group 460 > > # > # FTP proxy Passive > # > block in quick on qfe5 proto tcp from any to EDMZ-IP port 32767 >< 49152 > head 475 group 3 > pass in log first quick on qfe5 proto tcp from any to EDMZ-IP port 32767 > >>< 49152 flags S keep state group 475 > > block in log first quick on qfe5 from any to any group 475 > > Log: > > Sep 25 15:09:47 picsbh6 jftpgw[14112]: [ID 702911 daemon.debug] Read > (1): STOR paultest.bin > Sep 25 15:09:47 picsbh6 jftpgw[14112]: [ID 702911 daemon.debug] Send > (server - 2): STOR paultest.bin^M > Sep 25 15:09:47 picsbh6 jftpgw[14112]: [ID 702911 daemon.debug] > Write(2): STOR paultest.bin^M > Sep 25 15:09:47 picsbh6 jftpgw[14112]: [ID 702911 daemon.debug] Read > (2): 150 Opening BINARY mode data connection for paultest.bin. > Sep 25 15:09:47 picsbh6 jftpgw[14112]: [ID 702911 daemon.debug] > Write(1): 150 Opening BINARY mode data connection for paultest.bin.^M > Sep 25 15:09:47 picsbh6 jftpgw[14112]: [ID 702911 daemon.debug] Send > (client - 1): 150 Opening BINARY mode data connection for > paultest.bin.^M > Sep 25 15:09:47 picsbh6 jftpgw[14112]: [ID 702911 daemon.debug] Opening > the active FTP port 34119 on CLIENT-IP > Sep 25 15:09:47 picsbh6 jftpgw[14112]: [ID 702911 daemon.debug] Trying > to get a free source port on address IDMZFW-IP > Sep 25 15:09:47 picsbh6 jftpgw[14112]: [ID 702911 daemon.debug] Found > free port 42956 after 0 tries > Sep 25 15:09:47 picsbh6 jftpgw[14112]: [ID 702911 daemon.info] > Throughputrate is -1.000 > Sep 25 15:09:47 picsbh6 ipmon[364]: [ID 702911 local0.notice] > 15:09:47.550281 qfe5 @475:1 p 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 60 -S 771141877 0 65535 K-S IN > Sep 25 15:09:47 picsbh6 ipmon[364]: [ID 702911 local0.notice] > 15:09:47.598434 qfe0 @625:7 p IDMZ-IP,42956 -> CLIENT-IP,34119 PR tcp > len 20 48 -S 661318002 0 24820 K-S OUT > Sep 25 15:09:47 picsbh6 ipmon[364]: [ID 702911 local0.info] > 15:09:47.550270 STATE:NEW 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > Sep 25 15:09:47 picsbh6 ipmon[364]: [ID 702911 local0.info] > 15:09:47.598422 STATE:NEW IDMZ-IP,42956 -> CLIENT-IP,34119 PR tcp > > After a little while: > > Sep 25 15:10:15 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:10:15.610768 12x qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR > tcp len 20 52 -A 771141878 669733519 32148 IN > Sep 25 15:11:53 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:11:53.369285 79x qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR > tcp len 20 52 -A 771141878 715033911 32148 IN > Sep 25 15:11:54 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:11:54.362250 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -A 771141878 715035279 32148 IN > Sep 25 15:11:56 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:11:56.361252 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -A 771141878 715035279 32148 IN > Sep 25 15:12:00 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:12:00.361881 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -A 771141878 715035279 32148 IN > Sep 25 15:12:08 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:12:08.361512 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -A 771141878 715035279 32148 IN > Sep 25 15:12:24 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:12:24.361450 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -A 771141878 715035279 32148 IN > Sep 25 15:12:56 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:12:56.361542 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -A 771141878 715035279 32148 IN > Sep 25 15:13:57 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:13:56.362087 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -A 771141878 715035279 32148 IN > Sep 25 15:14:57 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:14:56.361868 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -A 771141878 715035279 32148 IN > Sep 25 15:15:57 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:15:56.362270 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -A 771141878 715035279 32148 IN > Sep 25 15:16:57 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:16:56.361908 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -A 771141878 715035279 32148 IN > Sep 25 15:17:57 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:17:56.361621 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -A 771141878 715035279 32148 IN > Sep 25 15:18:57 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:18:56.361445 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -A 771141878 715035279 32148 IN > Sep 25 15:31:53 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:31:53.400148 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:31:54 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:31:54.713668 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:31:56 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:31:56.243227 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:31:59 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:31:59.302825 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:32:05 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:32:05.424036 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:32:17 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:32:17.654004 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:32:42 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:32:42.124308 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:33:31 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:33:31.036281 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:34:36 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:34:36.267319 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:35:41 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:35:41.519781 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:36:47 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:36:46.710085 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:37:52 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:37:51.921660 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:38:58 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:38:57.143317 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:40:03 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:40:02.394970 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AF 771141878 715035279 32148 IN > Sep 25 15:41:08 picsbh6 ipmon[364]: [ID 702911 local0.warning] > 15:41:07.576601 qfe5 @475:2 b 207.25.253.21,20 -> EDMZ-IP,38578 PR tcp > len 20 52 -AR 771141879 715035279 32148 IN > > ipfstat -slv shows still in state: > > 207.25.253.21 -> EDMZ-IP ttl 168692 pass 0x500a pr 6 state 4/4 > pkts 74009 bytes 57939348 20 -> 38578 2df6b0f6:2aa02b5b > 32148<<2:24624<<0 > pass in quick keep state IPv4 > pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 > pkt_security & ffff = 0, pkt_auth & ffff = 0 > interfaces: in qfe5,- out -,qfe5 > > Any help would be much appreciated. > > Thanks, > Paul > > > -- > NOTICE: If received in error, please destroy and notify sender. Sender > does not waive confidentiality or privilege, and use is prohibited. > > 
|
Linear Mode
