ftpd server

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

ftpd server

fqui nonez
Hello

I have a ftpd server box, OBSD-4.9, and pflog shows:

Aug 29 10:11:03.520900 rule 3/(match) pass in on rl0:
190.87.195.241.2732 > 192.168.5.2.21: S 2008995709:2008995709(0) win
65535 <mss 1452,nop,nop,sackOK>
Aug 29 10:15:52.825409 rule 3/(match) pass in on rl0:
190.87.195.241.3190 > 192.168.5.2.21: S 409025537:409025537(0) win
65535 <mss 1452,nop,nop,sackOK>
Aug 29 10:27:40.085461 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.2732: FP 2719210498:2719210554(56) ack 2008995823 win
17424 (DF) [tos 0x10]
Aug 29 10:28:44.085510 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:29:48.085560 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:30:52.085653 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:31:56.085655 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:32:29.475695 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.3190: FP 2719185758:2719185814(56) ack 409025651 win
17424 [tos 0x10]
Aug 29 10:33:00.085705 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:33:33.475738 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:34:04.085762 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:34:37.475788 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:35:08.085806 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.2732: R 57:57(0) ack 1 win 0 (DF) [tos 0x10]
Aug 29 10:35:41.475843 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:36:45.475901 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:37:49.475947 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:38:53.476001 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:39:57.476044 rule 1/(match) block out on rl0: 192.168.5.2.21
> 190.87.195.241.3190: R 57:57(0) ack 1 win 0 [tos 0x10]

pf rules are:

set skip on lo
block in log all
block out log all
pass out log quick on rl0
pass in log quick on rl0 proto tcp from any to port {20 21 22}
antispoof quick log for rl0
pass # to establish keep-state

It look for me, that somebody send code over port 21, then ftpd
respond over port 21, and pf stops sftp!
I have seen that normal behaviour of ftpd is logged on random ports;
as effect of ftp_proxy.

Is it happening something weird here?

Thanks so much.

Reply | Threaded
Open this post in threaded view
|

Re: ftpd server

matteo filippetto
2011/8/31 fqui nonez <[hidden email]>:

> Hello
>
> I have a ftpd server box, OBSD-4.9, and pflog shows:
>
> Aug 29 10:11:03.520900 rule 3/(match) pass in on rl0:
> 190.87.195.241.2732 > 192.168.5.2.21: S 2008995709:2008995709(0) win
> 65535 <mss 1452,nop,nop,sackOK>
> Aug 29 10:15:52.825409 rule 3/(match) pass in on rl0:
> 190.87.195.241.3190 > 192.168.5.2.21: S 409025537:409025537(0) win
> 65535 <mss 1452,nop,nop,sackOK>
> Aug 29 10:27:40.085461 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 2719210498:2719210554(56) ack 2008995823 win
> 17424 (DF) [tos 0x10]
> Aug 29 10:28:44.085510 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:29:48.085560 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:30:52.085653 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:31:56.085655 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:32:29.475695 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 2719185758:2719185814(56) ack 409025651 win
> 17424 [tos 0x10]
> Aug 29 10:33:00.085705 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:33:33.475738 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:34:04.085762 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:34:37.475788 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:35:08.085806 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: R 57:57(0) ack 1 win 0 (DF) [tos 0x10]
> Aug 29 10:35:41.475843 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:36:45.475901 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:37:49.475947 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:38:53.476001 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:39:57.476044 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: R 57:57(0) ack 1 win 0 [tos 0x10]
>
> pf rules are:
>
> set skip on lo
> block in log all
> block out log all
> pass out log quick on rl0
> pass in log quick on rl0 proto tcp from any to port {20 21 22}
> antispoof quick log for rl0
> pass B  B  B  B  B  B # to establish keep-state

Hi,

please read how the ftp protocol works and which port should be enable in/out
from your server

http://slacksite.com/other/ftp.html
http://www.freesoft.org/CIE/Topics/69.htm

Regards

--
Matteo Filippetto
http://www.op83.eu

Reply | Threaded
Open this post in threaded view
|

Re: ftpd server

Richard Toohey
On 31/08/2011, at 7:16 PM, matteo filippetto wrote:

> 2011/8/31 fqui nonez <[hidden email]>:
>> Hello
>>
>> I have a ftpd server box, OBSD-4.9, and pflog shows:
>>
>> Aug 29 10:11:03.520900 rule 3/(match) pass in on rl0:
>> 190.87.195.241.2732 > 192.168.5.2.21: S 2008995709:2008995709(0) win
>> 65535 <mss 1452,nop,nop,sackOK>
>> Aug 29 10:15:52.825409 rule 3/(match) pass in on rl0:
>> 190.87.195.241.3190 > 192.168.5.2.21: S 409025537:409025537(0) win
>> 65535 <mss 1452,nop,nop,sackOK>
>> Aug 29 10:27:40.085461 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 2719210498:2719210554(56) ack 2008995823 win
>> 17424 (DF) [tos 0x10]
>> Aug 29 10:28:44.085510 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
>> Aug 29 10:29:48.085560 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
>> Aug 29 10:30:52.085653 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
>> Aug 29 10:31:56.085655 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
>> Aug 29 10:32:29.475695 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 2719185758:2719185814(56) ack 409025651 win
>> 17424 [tos 0x10]
>> Aug 29 10:33:00.085705 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
>> Aug 29 10:33:33.475738 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
>> Aug 29 10:34:04.085762 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
>> Aug 29 10:34:37.475788 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
>> Aug 29 10:35:08.085806 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: R 57:57(0) ack 1 win 0 (DF) [tos 0x10]
>> Aug 29 10:35:41.475843 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
>> Aug 29 10:36:45.475901 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
>> Aug 29 10:37:49.475947 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
>> Aug 29 10:38:53.476001 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
>> Aug 29 10:39:57.476044 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: R 57:57(0) ack 1 win 0 [tos 0x10]
>>
>> pf rules are:
>>
>> set skip on lo
>> block in log all
>> block out log all
>> pass out log quick on rl0
>> pass in log quick on rl0 proto tcp from any to port {20 21 22}
>> antispoof quick log for rl0
>> pass B  B  B  B  B  B # to establish keep-state
>
> Hi,
>
> please read how the ftp protocol works and which port should be enable
in/out
> from your server
>
> http://slacksite.com/other/ftp.html
> http://www.freesoft.org/CIE/Topics/69.htm
>

You may also find this useful:

http://home.nuug.no/~peter/pf/en/ftpproblem.html

> Regards
>
> --
> Matteo Filippetto
> http://www.op83.eu

Reply | Threaded
Open this post in threaded view
|

Re: ftpd server

Wesley MOUEDINE ASSABY
In reply to this post by fqui nonez
Hi,

You will find your solution here : http://www.openbsd.org/faq/pf/ftp.html

Best regards,

Wesley MOUEDINE ASSABY
http://mouedine.net/ruleset49.aspx



On Tue, 30 Aug 2011 23:38:41 -0700, fqui nonez <[hidden email]>
wrote:

> Hello
>
> I have a ftpd server box, OBSD-4.9, and pflog shows:
>
> Aug 29 10:11:03.520900 rule 3/(match) pass in on rl0:
> 190.87.195.241.2732 > 192.168.5.2.21: S 2008995709:2008995709(0) win
> 65535 <mss 1452,nop,nop,sackOK>
> Aug 29 10:15:52.825409 rule 3/(match) pass in on rl0:
> 190.87.195.241.3190 > 192.168.5.2.21: S 409025537:409025537(0) win
> 65535 <mss 1452,nop,nop,sackOK>
> Aug 29 10:27:40.085461 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 2719210498:2719210554(56) ack 2008995823 win
> 17424 (DF) [tos 0x10]
> Aug 29 10:28:44.085510 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:29:48.085560 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:30:52.085653 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:31:56.085655 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:32:29.475695 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 2719185758:2719185814(56) ack 409025651 win
> 17424 [tos 0x10]
> Aug 29 10:33:00.085705 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:33:33.475738 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:34:04.085762 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:34:37.475788 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:35:08.085806 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: R 57:57(0) ack 1 win 0 (DF) [tos 0x10]
> Aug 29 10:35:41.475843 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:36:45.475901 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:37:49.475947 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:38:53.476001 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:39:57.476044 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: R 57:57(0) ack 1 win 0 [tos 0x10]
>
> pf rules are:
>
> set skip on lo
> block in log all
> block out log all
> pass out log quick on rl0
> pass in log quick on rl0 proto tcp from any to port {20 21 22}
> antispoof quick log for rl0
> pass # to establish keep-state
>
> It look for me, that somebody send code over port 21, then ftpd
> respond over port 21, and pf stops sftp!
> I have seen that normal behaviour of ftpd is logged on random ports;
> as effect of ftp_proxy.
>
> Is it happening something weird here?
>
> Thanks so much.

Reply | Threaded
Open this post in threaded view
|

Re: ftpd server

Bryan Irvine
In reply to this post by fqui nonez
On Tue, Aug 30, 2011 at 11:38 PM, fqui nonez <[hidden email]> wrote:

> Hello
>
> I have a ftpd server box, OBSD-4.9, and pflog shows:
>
> Aug 29 10:11:03.520900 rule 3/(match) pass in on rl0:
> 190.87.195.241.2732 > 192.168.5.2.21: S 2008995709:2008995709(0) win
> 65535 <mss 1452,nop,nop,sackOK>
> Aug 29 10:15:52.825409 rule 3/(match) pass in on rl0:
> 190.87.195.241.3190 > 192.168.5.2.21: S 409025537:409025537(0) win
> 65535 <mss 1452,nop,nop,sackOK>
> Aug 29 10:27:40.085461 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 2719210498:2719210554(56) ack 2008995823 win
> 17424 (DF) [tos 0x10]
> Aug 29 10:28:44.085510 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:29:48.085560 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:30:52.085653 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:31:56.085655 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:32:29.475695 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 2719185758:2719185814(56) ack 409025651 win
> 17424 [tos 0x10]
> Aug 29 10:33:00.085705 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:33:33.475738 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:34:04.085762 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:34:37.475788 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:35:08.085806 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.2732: R 57:57(0) ack 1 win 0 (DF) [tos 0x10]
> Aug 29 10:35:41.475843 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:36:45.475901 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:37:49.475947 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
> Aug 29 10:38:53.476001 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
> Aug 29 10:39:57.476044 rule 1/(match) block out on rl0: 192.168.5.2.21
>> 190.87.195.241.3190: R 57:57(0) ack 1 win 0 [tos 0x10]
>
> pf rules are:
>
> set skip on lo
> block in log all
> block out log all
> pass out log quick on rl0
> pass in log quick on rl0 proto tcp from any to port {20 21 22}
> antispoof quick log for rl0
> pass            # to establish keep-state
>
> It look for me, that somebody send code over port 21, then ftpd
> respond over port 21, and pf stops sftp!
> I have seen that normal behaviour of ftpd is logged on random ports;
> as effect of ftp_proxy.
>
> Is it happening something weird here?

The FTP protocol itself is weird.

Most (all?) modern FTP clients now include SFTP/SCP.  I convinced a
client to switch to that a few years ago, and their customers are
still using it to this day (chrooted with no login shell of course).
If you must use FTP you are always going to have problems firewalling
and troubleshooting whether someones client is set to active/passive,
or whether they're also behind a firewall.  Just make the switch and
wash your hands of that protocol.  :-)

-Bryan

Reply | Threaded
Open this post in threaded view
|

Re: ftpd server

fqui nonez
2011/9/1 Bryan Irvine <[hidden email]>:

> On Tue, Aug 30, 2011 at 11:38 PM, fqui nonez <[hidden email]> wrote:
>> Hello
>>
>> I have a ftpd server box, OBSD-4.9, and pflog shows:
>>
>> Aug 29 10:11:03.520900 rule 3/(match) pass in on rl0:
>> 190.87.195.241.2732 > 192.168.5.2.21: S 2008995709:2008995709(0) win
>> 65535 <mss 1452,nop,nop,sackOK>
>> Aug 29 10:15:52.825409 rule 3/(match) pass in on rl0:
>> 190.87.195.241.3190 > 192.168.5.2.21: S 409025537:409025537(0) win
>> 65535 <mss 1452,nop,nop,sackOK>
>> Aug 29 10:27:40.085461 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 2719210498:2719210554(56) ack 2008995823 win
>> 17424 (DF) [tos 0x10]
>> Aug 29 10:28:44.085510 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
>> Aug 29 10:29:48.085560 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
>> Aug 29 10:30:52.085653 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
>> Aug 29 10:31:56.085655 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
>> Aug 29 10:32:29.475695 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 2719185758:2719185814(56) ack 409025651 win
>> 17424 [tos 0x10]
>> Aug 29 10:33:00.085705 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
>> Aug 29 10:33:33.475738 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
>> Aug 29 10:34:04.085762 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
>> Aug 29 10:34:37.475788 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
>> Aug 29 10:35:08.085806 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.2732: R 57:57(0) ack 1 win 0 (DF) [tos 0x10]
>> Aug 29 10:35:41.475843 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
>> Aug 29 10:36:45.475901 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
>> Aug 29 10:37:49.475947 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
>> Aug 29 10:38:53.476001 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
>> Aug 29 10:39:57.476044 rule 1/(match) block out on rl0: 192.168.5.2.21
>>> 190.87.195.241.3190: R 57:57(0) ack 1 win 0 [tos 0x10]
>>
>> pf rules are:
>>
>> set skip on lo
>> block in log all
>> block out log all
>> pass out log quick on rl0
>> pass in log quick on rl0 proto tcp from any to port {20 21 22}
>> antispoof quick log for rl0
>> pass            # to establish keep-state
>>
>> It look for me, that somebody send code over port 21, then ftpd

Thanks to all for the answers.
this is a typo error; it should say "ftpd"; it is only anonymous access.

>> respond over port 21, and pf stops sftp! <------------- ftpd here
It seems that ftpd should not respond over port 21, because ftp-proxy
is on charge of connection.

>> I have seen that normal behaviour of ftpd is logged on random ports;
>> as effect of ftp_proxy.
>>
>> Is it happening something weird here?
>
> The FTP protocol itself is weird.
>
> Most (all?) modern FTP clients now include SFTP/SCP.  I convinced a
> client to switch to that a few years ago, and their customers are
> still using it to this day (chrooted with no login shell of course).
> If you must use FTP you are always going to have problems firewalling
> and troubleshooting whether someones client is set to active/passive,
> or whether they're also behind a firewall.  Just make the switch and
> wash your hands of that protocol.  :-)
>
> -Bryan
>

Yes Bryan, except that this server has been working correctly for a
long time, and accept only anonymous connections.