ftp-proxy / bridge (basically working, but why?)

[Philipp Buehler <lists_(_at_)_fips_(_dot_)_de>]

Hello,

after hours of tcpdump and glancing at 'pfctl -vss', I was able
to get the following setup running:

sis0: internal, is bound to an ip address [lan uses !RFC1918 space]
sis2: external, no IP

Working setup:
rdr on sis0 from $lan to any port 21 -> $sis0 port 8081

pass in quick on sis0 inet proto tcp from any to $sis0 port > 49151 keep state
pass in quick on sis0 inet proto tcp from $lan to $sis0 port = 8081
[..pass all on sis2, block anything else ..]

ftp-proxy is bound to the IP of sis0 in inetd.conf




not working is a rdr to 127.1, and this with some "strange" behaviour:
client from $lan tries to open a connection to an external ftpd, and
get's an *immediate* RST.

tcpdump shows that on sis2 (ftp-proxy bound to localhost) an RST packet
leaves with srcIP 127.0.0.1 and is then seen on sis0 with a srcIP
of the desired external ftpd.
This should come from the NAT lookups, where the entries are
generated by rdr.

ftp-proxy does such lookups, but one thing worrying me is: why isnt
the packet on sis2 already addressed with the srcIP of the external ftpd?
So probably pf is doing the actual translation while the packet is
passed from sis2 to sis0, relevant states can be seen while this.

Anyway, I am still investigating why it works with the ip bound to
sis0 and not with localhost. 

Since time was short at customer, I'll rebuild this setup here at home
and try to get a more detailled debugging.
I still think the reversing of src/dst IP while travelling between
bridge interfaces has some side-effects here, but at least pflog0 shows
nothing if block rules have 'log', the RST is generated by ftp-proxy,
for what reason ever.

"now it works, and i still dont know why" :-]

Any shade of light?

TIA,
PS: yes, bridging setups are weird and discouraged in my eyes, but
sometimes ..
-- 
Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p> 

#1: Break the clue barrier!
#2: Already had buzzword confuseritis ?