FTP Hell

sullrich

It should have started a pftpx process for that nat redirects port 21.

nexusone

Still having problems.

I've now also tried this :: http://wiki.pfsense.com/wikka.php?wakka=IncomingFTPHowTo

Still no dice connecting from a browser in passive mode.

I dont see any running pftpx processes.

Using 1:1 NAT. Can someone help me? If I cant resolve this I need to find another platform and start getting it built.

sullrich

Update to the latest testing snapshot in ~sullrich

nexusone

updated to latest image from the 10th. i now see the following process running which is an improvement.

407 con  I      0:00.00  sh -c /usr/local/sbin/pftpx -c 81 -d -f 10.200.0.11 -g 81

10.200.0.11 is the internal address of the ftp server. 1:1 NAT from public IP -> Private IP.

Passive Mode still fails. I can login, but nothing else. Client either fails over to active mode or just errors out depending on client. Active mode works fine.

[11:45:29] SmartFTP v2.0.998.13
[11:45:29] Resolving host name "firefly.e-frontier.com"
[11:45:29] Connecting to 64.62.xxx.xxx Port: 21
[11:45:29] Connected to firefly.e-frontier.com.
[11:45:29] 220 ProFTPD 1.2.9 Server (ProFTPD Default Installation) [xxx]
[11:45:29] USER clwebmaster
[11:45:29] 331 Password required for xxx.
[11:45:29] PASS (hidden)
[11:45:30] 230 User xxx logged in.
[11:45:30] SYST
[11:45:30] 215 UNIX Type: L8
[11:45:30] Detected Server Type: UNIX
[11:45:30] FEAT
[11:45:30] 211-Features:
[11:45:30]  MDTM
[11:45:30]  REST STREAM
[11:45:30]  SIZE
[11:45:30] 211 End
[11:45:30] PWD
[11:45:30] 257 "/data/httpd/www.xxx.com" is current directory.
[11:45:30] TYPE A
[11:45:30] 200 Type set to A
[11:45:30] PASV
[11:45:30] 227 Entering Passive Mode (10,200,0,11,36,146).
[11:45:30] Opening data connection to 10.200.0.11 Port: 9362
[11:45:30] LIST -aL
[11:45:30] 0 bytes transferred. (0 bytes/s) (47 ms)

sullrich

You are publishing a FTP service to the internet?  If so you need to enable the ftp helper in interfaces, wan.

nexusone

oh that was enabled long ago.

by enabled, you mean the box is unchecked on the wan interface right?

sullrich

Yes.  I don't see the pftpx process running for this case.

If you are using a VIP then you need to use a CARP type VIP instead of proxyarp.

nexusone

It's possible that that instance we see running is the result of my inserting that line into the config file as per the little howto I found that I mentioned in a previous post.

Not an option in my environment. If I understand it correctly I would need to change my internal machines interface config to actually have the external address bound to it in order to make CARP work.

What I'm curious about is why this is so difficult. Passing FTP with iptables, or any number of other firewalls is no different than any other ruleset. Why is it such a big hassle with pfsense?

I appreciate all of your help and think what you're doing is great, i'm just looknig for some understanding.

nexusone

<shellcmd>/usr/local/sbin/pftpx -c 81 -d -f 10.200.0.11 -g 81</shellcmd>

is what i added to the <system>section.</system>

sullrich

Try out the CARP option.  You won't be using it as a failvoer IP, it needs to have a real ip instead of proxyarp so that pftpx can bind to it.

As you can imagine pfSense is not linux / iptables.    FTP has been the biggest pain in my ass and I really dislike it at this point, we'll just leave it at that.

sullrich

@nexusone:

<shellcmd>/usr/local/sbin/pftpx -c 81 -d -f 10.200.0.11 -g 81</shellcmd>

is what i added to the <system>section.</system>

Remove that, reboot.

nexusone

removed that line, rebooted again..

$ ps -ef
  PID  TT  STAT      TIME COMMAND
  562  v0  Is    0:00.02  login [pam] (login)
  563  v0  I      0:00.01  -sh (sh)
  564  v0  I+    0:00.01  /bin/sh /etc/rc.initial
  262 con- S      0:00.01  /usr/sbin/tcpdump -l -n -e -ttt -v -i pflog0
  263 con- I      0:00.00  logger -t pf -p local0.info
  391 con- S      0:00.04  [choparp]
  393 con- I      0:00.01  /bin/sh /usr/local/bin/runmsntp.sh /var/run/runmsnt
  395 con- I      0:00.00  /usr/local/bin/msntp -v -r -P no -l /var/run/msntp.
  397 con- I      0:00.00  logger -p daemon.info -i -t msntp
  478 con- IN    0:00.02  /bin/sh /var/db/rrd/updaterrd.sh
  553 con- SN    0:00.01  /usr/local/sbin/check_reload_status

no psftpx process now. I'm unclear on how I can setup CARP. It keeps insisting that I give it an address that exists on a real interface. The public IP doesnt exist on any real interfaces, thats the entire point of the firewall. if I give it the real internal address that does exist i dont see how that will enable inbound traffic on the public ip to reach the internal ip.

see my quandry?

maybe it's time to cut my losses and give up. how frustrating

sullrich

Not sure I understand this..  What do you mean the public ip is not on the firewall? Is this a bridge?

nexusone

when atempting to create the CARP virtual IP I get this error

The following input errors were detected:

* Sorry, we could not locate an interface with a matching subnet for 64.62.xxx.xxx/32. Please add an ip in this subnet on a real interface.

This address doesnt exist on any "real interfaces" other than the wan port of the firewall itself and that is/was as a proxyarp virtual address.  I just read the CARP faq but havent gained any clarity as a result.

sullrich

Please supply the wan addresses in question.  The CARP ip needs to lie in the same subnet as the wan IP.

nexusone

okay. proxy arp address is now carp. i had to expand the sn mask to encompass the whole subnet instead of just the specific host.

i applied but results are still the same. i dont see any pftpx process running.

my rules allow 20,21 and 9000-9500 (for the passive ports). any others needed?

sullrich

It needs to be "21" only.

I am really not sure why you are using port 20.

sullrich

Oh I see what your doing.

Remove all rules, all nat rules.

Add your port forward for port 21 if your not going to use 1:1.

If you plan on using 1:1 then you need to open up the range that the firewall is expecting.  The far easiest solution to this is to port forward only port 21, tcp, however.

nexusone

Okay. This is a BIG THANK YOU for the patience.

And a big YOU'RE WELCOME to the next person that comes along wanting FTP to work.

Scenario::

• You have public addresses on your WAN interface and private addresses on your LAN interface.
• You require NAT between interfaces
• You require inbound PASSIVE AND ACTIVE FTP connections to work.

Soltution::

• Setup your WAN and LAN interfaces as normal.
• Create a Virtual IP Address for the IP you want assigned to your FTP server.
      -This is your EXTERNAL ADDRESS
      - You must choose CARP, not ProxyARP as the type
      - You must use the subnet mask of your ip block, not /32 for the specific host as you can for ProxyARP types.
• Create a NAT Port Forward for port 21, forward from the external address you used for the CARP VIP, and tell it your INTERNAL FTP SERVER IP so that it can forward the port correctly.
• Allow it to create appropriate inbound rules, or go over to rules and create a rule on your WAN interface for PORT 21 to your INTERNAL FTP SERVER IP.

I had a terrible time getting this to work, but it DOES work if you hold your arms just right, and stand in the corner, and look at the computer through a mirror while you do the configuration. :)

sullrich

Thanks, I've add this:

http://faq.pfsense.org/index.php?sid=147209&lang=en&action=artikel&cat=1&id=178&artlang=en