Microsoft FTP.exe

charles.regan · Jan 11, 2006, 4:56 PM

I'm trying to connect to this ftp server via microsoft ftp.exe
I works fine using internet explorer. I don't think ftp.exe support passive mode.
What can I do to make it work ? Version 1.0beta / Loadbalancing outbound.

Here is the error:
220 Welcome to ftp.sunet.se
Connected to ftp.sunet.se.
User: anonymous
331 Any password will work
Password: ****
230 Any password will work
ftp> debug
Debugging On .
ftp> ls
–-> PORT 10,0,0,2,145,173
500 I won't open a connection to 10.0.0.2 (only to 142.217.134.xxx)
ftp>

sullrich · Jan 11, 2006, 7:33 PM

What version of pfSense? Always include this information when reporting problems.

charles.regan · Jan 11, 2006, 8:39 PM

Beta-1 (upgrade)

sullrich · Jan 11, 2006, 8:40 PM

Try a newer build from: http://www.pfsense.com/~sullrich/BETA2-BUGVALIDATION3/

charles.regan · Jan 13, 2006, 6:19 PM

Just installed new build. The problem is the same.

sullrich · Jan 13, 2006, 6:22 PM

Couple of things to check:

1. Make sure XP firewall is off
2. Make sure FTP helper is turned on for the interface in question.

Tested it with the same version:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\GeekGod.SULLRICH>ftp ftp.sunet.se
Connected to ftp.sunet.se.
220 Welcome to ftp.sunet.se
User (ftp.sunet.se:(none)): anonymous
331 Any password will work
Password:
230 Any password will work
ftp> debug
Debugging On .
ftp> ls
–-> PORT 10,0,250,69,4,115
200 PORT command successful
---> NLST
150 Connecting to port 55382
bin
dev
etc
lib
ls-lR
ls-lR.gz
pub
usr
226 8 matches total
ftp: 47 bytes received in 0.00Seconds 47000.00Kbytes/sec.
ftp>

charles.regan · Jan 13, 2006, 6:26 PM

FTP Helper:
On WAN or LAN ? or Both ?

sullrich · Jan 13, 2006, 6:27 PM

On my setup its enabled on LAN and WAN.

IE: the check boxes for it are not checked on each respective interface.

charles.regan · Jan 13, 2006, 6:28 PM

ok thanks

what about the RFC Workaround ? on or off ?

charles.regan · Jan 13, 2006, 7:00 PM

Just rebooted with FTP helper enabled on WAN OPT and LAN.
Now i can't access any FTP server with ftp.exe and iexplore.

My setup:
PRE-BETA2
Advanced Outbound NAT
Outbound loadbalancing

sullrich · Jan 13, 2006, 7:30 PM

Try it without outbound load balancing.

charles.regan · Jan 13, 2006, 8:07 PM

wow it works.

How can I make this works with loadbalancing.

sullrich · Jan 13, 2006, 8:03 PM

I know this is going to sound bad, but at the moment I really don't know.

I'll have to put some thought into how to work around this issue.

In the meantime, I wouldn't balance ftp, simply add a rule before your balancing rule and force it out your primary pipe.

charles.regan · Jan 13, 2006, 8:42 PM

ok it works with iexplore in passive mode. but with ftp.exe i have a different error now:

200 PORT command successful
425 Could not open data connection to port 61015: Connection timed out

charles.regan · Jan 14, 2006, 3:55 AM

Proto Source Port Destination Port Gateway Description
TCP/UDP LAN net * * 20 - 21 * FTP

If i put this rules before my loadbalancing rules in LAN , it doesn't work.
I need to completly disable loadbalancing for it to work with IE in passive mode.

If i disable outbound loadbalancing and permit any any on the wan interface it work with IE and ftp.exe!

What would be the rule to create in LAN to make it work with FTP.

State log:
tcp 127.0.0.1:8021 <- 142.217.134.xxx:21 <- 10.0.3.3:3677 CLOSED:SYN_SENT

charles.regan · Jan 14, 2006, 4:19 AM

Just found a workaround for this. not very secure…

Add this firewall rule in LAN
Proto Source Port Destination Port Gateway
* LAN net * 127.0.0.1 * *

Add this firewall rule in WAN
Proto Source Port Destination Port Gateway
* * * * * *

It works.
Firewall state shows:
tcp 127.0.0.1:8021 <- 194.71.11.70:21 <- 10.0.3.3:3887 FIN_WAIT_2:FIN_WAIT_2
tcp 127.0.0.1:8021 <- 194.71.11.70:21 <- 10.0.3.3:3896 FIN_WAIT_2:FIN_WAIT_2
tcp 194.71.11.70:20 -> 194.71.11.70:65294 -> 10.0.3.3:3898 FIN_WAIT_2:FIN_WAIT_2
tcp 127.0.0.1:8021 <- 194.71.11.70:21 <- 10.0.3.3:3899 ESTABLISHED:ESTABLISHED
tcp 194.71.11.70:20 -> 194.71.11.70:62700 -> 10.0.3.3:3903 FIN_WAIT_2:FIN_WAIT_2

Without permit any any on WAN I have this in my state
tcp 127.0.0.1:8021 <- 194.71.11.70:21 <- 10.0.3.3:3871 ESTABLISHED:ESTABLISHED

And I have this error with ftp.exe
200 PORT command successful
425 Could not open data connection to port 58974: Connection timed out

sullrich · Jan 14, 2006, 7:33 PM

The LAN->Localhost rule is fine.

I would remove that WAN rule ASAP. Because if you permit all traffic from the internet in, then what is the point of having a firewall at all?

charles.regan · Jan 15, 2006, 3:53 PM

If I remove the permit any any rule on WAN I can't connect using active ftp mode (ftp.exe)

sullrich · Jan 15, 2006, 7:39 PM

@charles.regan:

If I remove the permit any any rule on WAN I can't connect using active ftp mode (ftp.exe)

Then you don't have a firewall! You're allowing all of the internet into you're device.

charles.regan · Jan 15, 2006, 10:35 PM

My question is What is the rule I should put to make active FTP working.