Monthly Archives: 九月 2011

未知 的大頭貼

Filezilla SFTP “Connection closed by server with exitcode 141″

by

Just a quick note, I was trying to connect to a remote server with SFTP using Filezilla. I use SSH key for authentication. But Filezilla threw me this error : “Connection closed by server with exitcode 141″.

I tried using the commandline sftp with -v , it said:

debug1: Sending subsystem: sftp
debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Transferred: sent 3440, received 2568 bytes, in 0.1 seconds
Bytes per second: sent 50284.4, received 37537.9
debug1: Exit status -1

I found that it was my shell configuration which was causing the problem. I have some customized settings, every time I login, it beeps “MY_VARIABLE:  Undefined variable". The message causes SFTP to fail.

未知 的大頭貼

Running multiple instance of pflogd to log from different pflog interfaces

by

Recently I set up a bridging firewall. I read from the PF FAQ that we can log certain packets to different pflog virtual interfaces (pflogN). For example:

block log (to pflog0) on $ext_if all

It is possible to create multiple pflog interfaces with ifconfig and read it with tcpdump . The problem is that pflogd which reads from pflog interfaces and records it into logfiles can only record one pflog interface. (unless you start a pflogd instance manually and assign the interface to log without using the rc scripts, not quite elegant). I tried this setting in rc.conf but it doesn’t work:

pflog_flags="-i pflog0 -f /var/log/pf/ext_if.log -i pflog1 -f /var/log/pf/mgt_if.log"

The -i parameter specifies the interface to log from and the -f parameter specifies which file to log to.

After some hours of googling I finally seem to find a solution: http://www.freebsd.org/cgi/query-pr.cgi?pr=158171&cat=

Basically it just patches /etc/rc.d/pflogd so that the script can handle multiple pflogd instances.

There are some discussions in the mailing list saying that the patched script has some potential problem (syntax parsing, security, etc.). But as I tested, the main functionality does work, and I guess this is the best solution I can find.

I applied the patch to my pflogd script and the corresponding manpage (actually the patch utility throws me some errors that I don’t quite understand so I edit those files by hand). The ftp-proxy script seems to be another story so I didn’t look into it. (it has nothing to do with my problem)

Patch for /etc/rc.d/pflog: http://www.mediafire.com/file/2wn3r31hju5jfh3/pflog.patch

Modified /usr/share/man/man8/pflogd.8.gz: http://www.mediafire.com/file/2484bnc4msx6v42/pflogd.8.gz

And then the next problem for me is that, I don’t understand the manpage! After some guessing and trying and reading the script, I finally figured it out, below is part of my rc.conf:

pflog_enable="YES" # start pflogd(8)
pflog_instances="0 1"
pflog_0_dev="pflog0"
pflog_0_logfile="/var/log/pf/ext_if.log"
pflog_1_dev="pflog1"
pflog_1_logfile="/var/log/pf/mgt_if.log"

Next time you do # /etc/rc.d/pflog restart it’ll start logging 2 interfaces to 2 files!

Oh, I forgot to mention, I set this all up in FreeBSD 8.2.