Problem with ftp-proxy

[Rainer Duffner]

Hi,


I use ftp-proxy, together with the patch that starts multiple instances:

http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/158171

I use it in a combination with pure-ftpd on the backend-server.

on the proxy:

 1434 ??  Ss       0:17.06 /usr/sbin/ftp-proxy -vv -b 127.0.0.2 -R 192.168.91.42
92144 ??  Ss       0:00.06 /usr/sbin/ftp-proxy -vv -b 127.0.0.1 -R 192.168.91.41


Originally, the proxy was on FreeBSD 8.3.
A while ago, I updated it to FreeBSD 9.1.

Now, the customer, who hadn't logged in for a while complained that
while they could still login, it was not possible to view contents of
directories or transfer files.

I have the following pf.conf:



ext_if="em0"
int_if="em1"
backend_ip="10.10.113.70"
ftp_host_prod="192.168.91.41"
ftp_host_test="192.168.91.42"
proxyip_prod="127.0.0.1"
proxyip_test="127.0.0.2"

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# didn't have the above line previously, but it does not make a
difference
rdr pass log proto tcp from any to EXT_IP_PROD port ftp ->
$proxyip_prod port 8021
rdr pass log proto tcp from any to EXT_IP_TEST port ftp ->
$proxyip_test port 8021

anchor "ftp-proxy/*"
pass out log proto tcp from $backend_ip to $ftp_host_prod port 21
pass out log proto tcp from $backend_ip to $ftp_host_test port 21


I tried switching pure-ftpd on the backend-server to FreeBSD's ftpd,
but that didn't change anything.

There is both an additional firewall in front of the proxy and in front
of the backend-server - but they don't log any denied traffic.
Neither does pf.

When I connect to the EXT_IP_PROD on the proxy itself and try to list
files, it takes a while before a timeout occurs, and then, on the 2nd
try, it actually works.