mess-mate
November 9th, 2004, 17:44
Hi,
i've a strange problem:
can't ftp one or more files to my firewall/router/proxy from a local machine.
After say 5Mb the tranfert stops and the router/firewall/proxy must be restarted.
Strange is, i can ftp trough the router to an other local machine without any problem.
Is there any rule to set to autorise the box accepting files to store from the local machine ?
Thanks for your help in advance.
mess-mate

elmore
November 9th, 2004, 18:38
could you please post your ruleset.

mess-mate
November 9th, 2004, 19:25
Here it is:
# Network interfaces (Remember, if using PPPoE the ext. interface is tun0)
internal = "vr0"
external = "tun0"
lan = "xx.xx.xx.xx"
squid_box = "xx.xx.xx.xx" # same IP as router

unsafe = "tun0"

TRUST_IP="xx.xx.xx.xx"

# OPTIONS
set block-policy drop

# Services visible from the outside ? remove any you're not using
#services = "{ ssh, http, https, smtp, domain }"
services = "{ http, https, smtp }"

# The wireless interface is not allowed to send anything to the inside
# network. It can send anything out /except/ smtp since we don't
# want being used as a spam relay. Yes, this is paranoid. Better safe
# than sorry.

# You shouldn't need to change anything below this line
#############################################

# Non-routable IP numbers
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, \
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, \
255.255.255.255/32 }"

# All rules are "quick" so go strictly top to bottom

# Fix fragmented packets
scrub in all

# Create two packet queues: one for regular traffic, another for
# high priority: TCP ACKs and packets with ToS 'lowdelay'
altq on $external priq bandwidth 125Kb queue { highpri_q, default_q }
queue highpri_q priority 7
queue default_q priority 1 priq(default)
# altq not used yet !!!

# NAT

# nat: packets going out through dc0 with source addr $lan
# will get translated as coming from our external address. State is
# created for such packets, and incoming packets will be redirected to
# the internal address.
# NAT: we need a rule for the inside network

nat on $external from $lan to any -> $external

## for squid :
#no rdr on $internal from $squid_box to any port 80
rdr on $internal inet proto tcp from $lan to any port 80 -> $squid_box port 3128

##############################################

# Don't bug loopback
#
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any

# Don't bother the inside interface either
#
pass out quick on $internal from any to any
pass in quick on $internal from any to any

# squid
pass in on $internal inet proto tcp from any to $squid_box port 3128 keep state
pass out on $external inet proto tcp from any to any port 80 keep state

# Autorise SSH and FTP from admin machine
pass in quick on $internal proto tcp from $TRUST_IP to any port 22 keep state
pass in quick on $internal proto tcp from $TRUST_IP to any port 21 keep state

##############################################
#
# First, we deal with bogus packets.
#

# Block any inherently bad packets coming in from the outside world.
# These include ICMP redirect packets and IP fragments so short the
# filtering rules won't be able to examine the whole UDP/TCP header.

block in log quick on $unsafe inet proto icmp from any to any icmp-type redir

# Block any IP spoofing atempts. (Packets "from" non-routable
# addresses shouldn't be coming in from the outside).
#

block in quick on $external from $nonroutable to any

# Don't allow non-routable packets to leave our network
#

block out quick on $external from any to $nonroutable

############################################
#
# The normal filtering rules
#

# ICMP: allow incoming ping and traceroute only
#
block in quick on $unsafe inet proto icmp from any to any icmp-type { \
echorep, echoreq, timex, unreach }

#pass in quick on $unsafe inet proto icmp from any to any icmp-type { \
echorep, echoreq, timex, unreach }

block in log quick on $unsafe inet proto icmp from any to any

# TCP: Allow services (ssh, smtp, http and https incoming). Only match
# SYN packets, and allow the state table to handle the rest of the
# connection. ACKs and ToS "lowdelay" are given priority.
#

pass in quick on $external inet proto tcp from any to any port $services \
flags S/SA keep state queue (default_q, highpri_q)

# UDP: allow DNS since I run a public nameserver (remove if you don't!)
# I don't, use the one of my ISP
#pass in quick on $unsafe inet proto udp from any to any port domain

################

# Everyone is allowed to send UDP and ICMP out

pass out quick on $external inet proto udp all keep state
pass out quick on $external inet proto icmp from any to any keep state

##################
# Of course we need to allow packets coming in as replies to our
# connections so we keep state. Strictly speaking, with packets
# coming from our network we don't have to only match SYN, but
# what the hell. It allows us to put those packets in the high
# priority queue.
#

pass out quick on $external inet proto tcp from any to any \
flags S/SA keep state queue (default_q, highpri_q)
pass out quick on $external inet proto udp all keep state
pass out quick on $external inet proto icmp from any to any keep state


# End of rules. Block everything to all ports, all protocols and return
# RST (TCP) or ICMP/port-unreachable (UDP).
#

block return-rst in log quick on $unsafe inet proto tcp from any to any
block return-icmp in log quick on $unsafe inet proto udp from any to any
block in quick on $unsafe all

#
# End of file

That's it
mess-mate

bsdjunkie
November 9th, 2004, 21:08
# Autorise SSH and FTP from admin machine
pass in quick on $internal proto tcp from $TRUST_IP to any port 22 keep state
pass in quick on $internal proto tcp from $TRUST_IP to any port 21 keep state

Are you doing passive or active ftp? If active, you will need to add the following:

pass in on $internal proto tcp from $TRUST_IP to any port > 49151 keep state

You may also want to look into the ftp-proxy:

http://openbsd.org/faq/pf/ftp.html

Kernel_Killer
November 9th, 2004, 22:44
No port 20?

mess-mate
November 10th, 2004, 05:26
Thanks,
I'm doing passive ftp.
Let me clarify a bit more the situation:
I've to ftp (transfert files) TO the firewall/router/proxy (http) box locally ; Not to an external (internet) one. And FROM a loacl machine; say local-machine 192.168.12.15 to the firewall/router/proxy local bois 192.168.12.1.
I'v no problems to ftp to any outside (internet) one.
I supposed a SSH problem, that's the reason of this rules :
# Autorise SSH and FTP from admin machine
pass in quick on $internal proto tcp from $TRUST_IP to any port 22 keep state
pass in quick on $internal proto tcp from $TRUST_IP to any port 21 keep state

But the same situation remains. So that's not the raison of the problem.
mess-mate

bsdjunkie
November 10th, 2004, 11:12
After say 5Mb the tranfert stops and...

Does the filesystem your tranfering to contain enough disk space to hold over 5 meg? Im not sure why it would work and then die for no apparent reason...

mess-mate
November 11th, 2004, 04:57
Does the filesystem your tranfering to contain enough disk space to hold over 5 meg? Im not sure why it would work and then die for no apparent reason...
Yes there is more enough space available > 2G
I've tryed disabling PF and problem persist.
I've tryed disabling squid and problem persist.
I've tryed disabling ssh and problem persist.

Finally found the eroor message :
"No route to host"
This is the message AFTER the file transfert freezes.
And any other local machine can't connect anywhere.
This means, the router-box (openbsd) is out of routing anything.
mess-mate

bsdjunkie
November 11th, 2004, 09:59
hmm, strange... I guess the first thing I would check next is to swap out your cables with a some new ones. Maybe they are a little flaky.

mess-mate
November 11th, 2004, 11:51
Changed the cables (C5) without success.
Problem remains.

mess-mate
November 13th, 2004, 17:51
I reply to myself:
I've inversed the nic's so vr0 points to the modem and rl0 to the lan.
Don't ask me why it's solved .. i don't know.
There are no more errors and freezing but to mutch collisions remains.
What can i do to reduce the collisions ?
mess-mate