ftp-proxy no more data connections after upgrade

Started by Andreas_, October 25, 2024, 11:54:15 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 25, 2024, 11:54:15 AM
After upgrading a firewall from 24.1.x to 24.7.7, ftp-proxy doesn't work any more. Analyzing traffic with tcpdump on both LAN and WAN interface:

- in PASV mode, the client sends SYN packets to the port as returned from ftp-proxy, but there's not traffic to the upstream ftp server.
- in active mode, the server sends SYN packets to the port as presented by the PORT command that ftp-proxy issued upstream, but won't forward any traffic to the client.

I have logging enable on both the client-to-ftp-proxy redirect on Port21, as well as client-to-server traffic for the data connection, both log as "pass" when issuing the client data command.

I checked against that FTP server with another client/firewall (different site, a lot simpler firewall setup), also on 24.7.7, which works correctly there.

From the ftp-proxy man pages, I'd expect to see something with
Code Select
pfctl -a ftp-proxy -s rules, but there's nothing while the data connection is stuck.

I'm out of clues now, anybody with an idea?

Regards,
Andreas
October 25, 2024, 12:08:54 PM #1
I just saw that there actually IS traffic to the upstream ftp server in PASV mode, and the setup works again after I corrected ftp-proxy source address to use the outbound NAT interface address as well.

Case closed.
Print
Go Up Pages1
User actions