FTP for WordPress - How ?

dhenzler

@johnpoz
have new other problem...

Filter Reload -- what do I do ?

There were error(s) loading the rules: /tmp/rules.debug:22: cannot define table pfB_Top_v4: Cannot allocate memory - The line in question reads [22]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"
@ 2022-04-25 15:37:59
There were error(s) loading the rules: /tmp/rules.debug:22: cannot define table pfB_Top_v4: Cannot allocate memory - The line in question reads [22]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"
@ 2022-04-25 15:43:43
There were error(s) loading the rules: /tmp/rules.debug:22: cannot define table pfB_Top_v4: Cannot allocate memory - The line in question reads [22]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"
@ 2022-04-25 15:45:18

johnpoz

@dhenzler that is related to table size - bump it up..

dhenzler

@johnpoz

Will resume the FTP issues later...
just did it... we'll see. Hopefully I don't have to do more

The error message I got was from a failed attempt to load ntopng from command line. It loaded, but didn't show up in Installed packages. Then got a error message:

Apr 25 12:42:04 php-fpm 56175 /rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:17: cannot define table bogons: Cannot allocate memory - The line in question reads [17]: table <bogons> persist file "/etc/bogons"

Just got my pfSense up and running well yesterday. Thankfully a backup saved me I think... maybe some lefotvers in the database. Ugh !

SteveITS

@dhenzler How much RAM is installed, and used/free per the dashboard? Advice here from long ago for pfBlocker was to use a minimum of 2 million table entries, or double the default, whichever was higher. Though, note pfSense has a bug that "on this system the default size is" is whatever was saved in the field, so it's not really valid after it's been adjusted once.

johnpoz

@steveits said in FTP for WordPress - How ?:

is whatever was saved in the field, so it's not really valid after it's been adjusted once.

Yeah very true - 1.6mil sure isn't the default ;) Which is what mine shows. I had set that.

dhenzler

This post is deleted!

dhenzler

@steveits

Being cautious I ran freebsd-version first thinking an update meant for 13 would certainly cause havoc. It's 12.2
But no sooner was it up and running that I discovered I couldn't control it from within pfSense.
deleted the packages carefully
oh well ! live n learn

dhenzler

@steveits

I built my system on a DL360pGen8 with one e5-2650L & 16G memory. Four 73G drives in RAID6 yeilding a pair of 146G mirrored. I figured that things might get used up if I tried to start small. I have plenty of power and the system is just another DL380 in the rack...

SteveITS

@dhenzler 16 GB is plenty so it's very likely the table size limit per the above. If you still have issues you can go to Diagnostics/Tables and try to add up the counts of each table but you could also just increase the limit as shown. I suspect the limit is just meant to block a runaway process or crazy list usage from exhausting RAM.

dhenzler

@steveits

Got the system working again, but had to turn off pfBlockerNG It was working yesterday, but the episode with trying to load a version not on the list must have left some scars.

My system cannot get duckduckgo.com when it's operating. I've reviewed the Geo lists and tried disabling some of the countries in addition to disabling US and no good has come from those efforts. I have a previous save that was working and won't now. I suppose I could blow the whole thing off and start over. I might !

Frustrating.. !

dhenzler

@dhenzler

this works...

UPDATE PROCESS START [ v3.1.0_4 ] [ 04/25/22 23:24:42 ]

===[ DNSBL Process ]================================================

Loading DNSBL Statistics... completed
Loading DNSBL SafeSearch... disabled
Loading DNSBL Whitelist... completed

[ StevenBlack_ADs ] exists.

===[ GeoIP Process ]============================================

[ pfB_Top_v4 ] exists. [ 04/25/22 23:24:44 ]
[ pfB_Top_v6 ] exists. [ 04/25/22 23:24:45 ]

===[ IPv4 Process ]=================================================

[ Abuse_Feodo_C2_v4 ] exists.
[ Abuse_SSLBL_v4 ] exists.
[ CINS_army_v4 ] exists.
[ ET_Block_v4 ] exists.
[ ET_Comp_v4 ] exists.
[ ISC_Block_v4 ] exists.
[ Spamhaus_Drop_v4 ] exists.
[ Spamhaus_eDrop_v4 ] exists.
[ Talos_BL_v4 ] exists.

===[ Aliastables / Rules ]==========================================

No changes to Firewall rules, skipping Filter Reload
No Changes to Aliases, Skipping pfctl Update

UPDATE PROCESS ENDED

dhenzler

@dhenzler

Now -- Back to making some kind of FTP work on Wordpress for updating Plugins

I am not sending in to Wordpress, it requests info from The Great OZ on the Internet !

dhenzler

@dhenzler

More confused than ever...

Client Behind pfSense

FTPS, or encrypted FTP, is not affected. The proxy could not have affected its traffic before.

A client on a LAN or other internal interface behind a pfSense firewall will likely not notice any difference. Most clients, aside from the Microsoft command line FTP program, default to passive (PASV) FTP, where clients make outbound connections to servers.

Passive mode on the client will require access to random/high ports outbound, which could run afoul of a strict outbound ruleset. Environments with a security policy that requires strict outbound firewall rules likely would not be using FTP anyhow, as it transmits credentials without encryption.

Active mode FTP through NAT will not function as that relies on a proxy or similar mechanism. Use Passive mode instead. Another option is the recently added FTP Client Proxy package which leverages in FreeBSD to allow clients on local interfaces to reach remote FTP servers with active FTP.

Active mode FTP for a client that does not involve NAT (Client has a public IP address) should work so long as WAN rules pass the appropriate traffic back to the client. The client may have a configurable active port range to make that simpler.
Server Behind pfSense

FTPS, or encrypted FTP, is not affected. The proxy could not have affected its traffic before.

A server behind pfSense would work fine with active mode, there would be no difference here. In active mode the server would make outbound connections back to the client, so as long as the firewall rules on the interface containing the server allow outbound connections, it will work.

A server behind pfSense running in Passive mode will function but requires a few items to be configured:

Port forwards or 1:1 NAT to forward not only port 21, but also the passive port range in to the server

The passive port range must be configured on the server, corresponding to the range of ports forwarded in the previous step.

The server may also need to be configured to account for NAT. Some clients will ignore private addresses in passive responses so this may not be necessary.

Sample Configuration for vsftpd

In vsftpd.conf:

Do not allow the client to use PORT

port_enable=NO

Use the hostname in the PASV response (DNS must be setup and match!)

pasv_addr_resolve=YES

Enable Passive Mode

pasv_enable=YES

Set the passive port range (1000 ports)

pasv_min_port=20000
pasv_max_port=20999

dhenzler

@johnpoz

Client Behind pfSense

FTPS, or encrypted FTP, is not affected. The proxy could not have affected its traffic before.

A client on a LAN or other internal interface behind a pfSense firewall will likely not notice any difference. Most clients, aside from the Microsoft command line FTP program, default to passive (PASV) FTP, where clients make outbound connections to servers.

Passive mode on the client will require access to random/high ports outbound, which could run afoul of a strict outbound ruleset. Environments with a security policy that requires strict outbound firewall rules likely would not be using FTP anyhow, as it transmits credentials without encryption.

Active mode FTP through NAT will not function as that relies on a proxy or similar mechanism. Use Passive mode instead. Another option is the recently added FTP Client Proxy package which leverages in FreeBSD to allow clients on local interfaces to reach remote FTP servers with active FTP.

Active mode FTP for a client that does not involve NAT (Client has a public IP address) should work so long as WAN rules pass the appropriate traffic back to the client. The client may have a configurable active port range to make that simpler.
Server Behind pfSense

FTPS, or encrypted FTP, is not affected. The proxy could not have affected its traffic before.

A server behind pfSense would work fine with active mode, there would be no difference here. In active mode the server would make outbound connections back to the client, so as long as the firewall rules on the interface containing the server allow outbound connections, it will work.

A server behind pfSense running in Passive mode will function but requires a few items to be configured:

Port forwards or 1:1 NAT to forward not only port 21, but also the passive port range in to the server

The passive port range must be configured on the server, corresponding to the range of ports forwarded in the previous step.

The server may also need to be configured to account for NAT. Some clients will ignore private addresses in passive responses so this may not be necessary.

Sample Configuration for vsftpd

In vsftpd.conf:

Do not allow the client to use PORT

port_enable=NO

Use the hostname in the PASV response (DNS must be setup and match!)

pasv_addr_resolve=YES

Enable Passive Mode

pasv_enable=YES

Set the passive port range (1000 ports)

pasv_min_port=20000
pasv_max_port=20999

SteveITS

@dhenzler If this is for WordPress to install updates that’s the web server connecting to itself. Generally that’s used when the web server process doesn’t have access to write files. As in, server = localhost. No access from Internet required.

dhenzler

@steveits
untrue... the updates come from various providers who are only accessible via Internet. Obviously you don't use WordPress.

I get a response from the failed attempts... On my old firewall I had a Port Forwarded to WAN on port 21 inside and outside... once it hit the Internet it may have gone to some obscure upper port mapping. But that was the config.

I've tried NAT using TrueNAT
just ran through a bunch more trials and NADA !

johnpoz

@dhenzler so you want a client behind pfsense to talk to some ftp server out on the internet?

What would that have to do with port forwarding? Or this?

WAN-address to LAN single-address ?
WAN-network to LAN single-address ?

And would have nothing to do anything special on the nat, etc.

A client behind talking passive ftp to some server out on the internet would need no special rules at all. This would work out of the box with default any any rule..

A client behind pfsense wanting to talk active FTP would need the ftp helper/proxy setup.. Since pfsense would have to create the rule for the the data channel to be allowed in from the server. And you would not be able to use ftps, since pfsense would not be able to see the port command that has the port the client wants the ftp server to talk too, nor would it be able to correct the client IP to the public IP of pfsense..

And then you would have to configure the package for your use.. Which interfaces, etc..

SteveITS

@dhenzler said in FTP for WordPress - How ?:

Obviously you don't use WordPress

Well, we do host many WordPress sites in our data center for our clients...

https://wordpress.org/support/article/updating-wordpress/#automatic-background-updates
"Most sites are now able to automatically apply these updates in the background. If your site is capable of one-click updates without entering FTP credentials, then your site should be able to update ..."

and
https://wordpress.org/support/article/updating-wordpress/#file-ownership
"WordPress determines what method it will use to connect to the filesystem of your server based on the file ownership of your WordPress files. If the files are owned by the owner of the current process (i.e., the user under which the web server is running), and new files created by WordPress will also be owned by that user, WordPress will directly modify the files all by itself, without asking you for credentials.

WordPress won’t attempt to create the new files directly if they won’t have the correct ownership. Instead, you will be shown a dialog box asking for connection credentials. It is typical for the files to be owned by the FTP account that originally uploaded them. To perform the update, you just need to fill in the connection credentials for that FTP account."

What you seem to be pursuing is having the Internet connect to an FTP server behind your router, which is not necessary for WordPress to install WP or plugin updates, and should be avoided for security reasons because the Internet will immediately start password guessing.

In most WordPress web hosting scenarios nowadays the PHP process runs as the web site user which gives it permission to modify the files of that user, meaning the files of the web site. If not, WordPress prompts for FTP credentials so it can connect to that same web server (itself) and "upload" files.

johnpoz

@steveits said in FTP for WordPress - How ?:

WordPress prompts for FTP credentials so it can connect to that same web server (itself) and "upload" files.

If the server running wordpress is trying to ftp to itself.. That would have zero to do with pfsense port forwards or nat or ftp anything..

Unless your trying to access some fqdn that points to pfsense wan IP? Or your public IP directly on pfsense. But in that scenario your going to run into nat reflection issues, etc.

If your goal is for wordpress to ftp to itself. You should have it point to its actual local IP or 127.0.0.1 etc.. or some fqdn that resolves to its local IP..

FTP works just fine through pfsense, be it active or passive - but depending what your doing be talking to ftp server out on the public internet, or allowing clients from the internet into your server behind pfsense running ftp.. You have to understand how active and passive differ, and what your actually using.

I would be happy to help you - but you need to be clear on what your doing. Where is the client, where is the server, are you using active or passive. And if this really is some application on some server behind pfsense trying to talk to itself - that throws in some other variables for sure. Need to clearly understand what your doing to help you.

But at a loss to why wordpress would have to ftp to itself? That just seems insane to be honest..

SteveITS

@johnpoz said in FTP for WordPress - How ?:

at a loss to why wordpress would have to ftp to itself?

Take a look at the WP doc page I quoted above. WordPress by default tries to auto-update minor versions (5.6.2 to 5.6.3). It can also update plugins. To do so it needs to write to files on the web server. Looking at this from the hosting company's perspective, if PHP is running as that customer's account, then it can write files. This is normally how various PHP-as-CGI options work in the web site hosting settings.

If it's running as, say, an Apache module, it runs as a different account and can't write to anything in the customer account (because one wouldn't want PHP to be able to write to any account on the web server). WordPress can detect that and then prompts to connect to itself via FTP, presuming the customer can connect via FTP and upload files to their own web site. So it's basically a workaround to be able to allow it to update itself.