FTPproxy use the physical instear of the virtual address.

Started by spider, May 24, 2022, 07:34:49 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 24, 2022, 07:34:49 AM
Hiya,

Our set-up is similar to https://forum.opnsense.org/index.php?topic=18732.msg85748#msg85748 except we have a single switch.

One of two problems is that the FTP proxy sometimes connects to the physical address of the firewall instead of the virtual address.

On a Windows laptop, connect to the internet and not connect to the intranet, I can create a file on the FTP server like this:
Code Select
C:\>echo 123 | curl -T - --ftp-create-dirs --ftp-pasv -u ftpuser001:Password ftp://ftp.example.com/test-dir/test-file.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100     6    0     0    0     6      0     29 --:--:-- --:--:-- --:--:--    29

And can list the file with:
Code Select
C:\>curl --ftp-pasv -u ftpuser001:Password ftp://ftp.example.com/test-dir/
-rw-r--r--   1 ftpuser001 ftpusers        6 May 23 06:44 test-file.txt

Something the listing works and sometimes it times out

When it times out, I see this in the ftp server log
Code Select
2022-05-23 10:01:27,224 s2 proftpd[6317] s2.example.net (firewall.example.net[10.99.0.1]): SECURITY VIOLATION: Passive connection from foreign IP address 10.99.0.2 rejected (does not match client IP address 10.99.0.1).

The master firewall has the physical IP 10.99.0.2 and the virtual IP 10.99.0.1.
The FTP server (s2) has the physical address 10.99.0.102 plus some aliases. The aliases are for KDC, LDAP and a log host.

I've included the IP aliases for completeness, but don't think they are affect the source IP.

Code Select
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.99.0.102  netmask 255.255.255.0  broadcast 10.99.0.255
        ether ac:1f:6b:76:e7:2e  txqueuelen 1000  (Ethernet)
        RX packets 402772438  bytes 125251420679 (116.6 GiB)
        RX errors 0  dropped 0  overruns 779331  frame 0
        TX packets 384462758  bytes 191478460768 (178.3 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0xdf200000-df27ffff 

eth0:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.99.0.31  netmask 255.255.255.0  broadcast 10.99.0.255
        ether ac:1f:6b:76:e7:2e  txqueuelen 1000  (Ethernet)
        device memory 0xdf200000-df27ffff 

eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.99.0.34  netmask 255.255.255.0  broadcast 10.99.0.255
        ether ac:1f:6b:76:e7:2e  txqueuelen 1000  (Ethernet)
        device memory 0xdf200000-df27ffff 

eth0:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.99.0.250  netmask 255.255.255.0  broadcast 10.99.0.255
        ether ac:1f:6b:76:e7:2e  txqueuelen 1000  (Ethernet)
        device memory 0xdf200000-df27ffff 

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 18713387  bytes 8392738213 (7.8 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18713387  bytes 8392738213 (7.8 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 78772655  bytes 43780025295 (40.7 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 49179619  bytes 6922383213 (6.4 GiB)
        TX errors 0  dropped 27101 overruns 0  carrier 0  collisions 0

Hopefully someone knows how to solve this, TIA
-spider
Print
Go Up Pages1
User actions