FTP Hell
-
<shellcmd>/usr/local/sbin/pftpx -c 81 -d -f 10.200.0.11 -g 81</shellcmd>
is what i added to the <system>section.</system>
Remove that, reboot.
-
removed that line, rebooted again..
$ ps -ef
PID TT STAT TIME COMMAND
562 v0 Is 0:00.02 login [pam] (login)
563 v0 I 0:00.01 -sh (sh)
564 v0 I+ 0:00.01 /bin/sh /etc/rc.initial
262 con- S 0:00.01 /usr/sbin/tcpdump -l -n -e -ttt -v -i pflog0
263 con- I 0:00.00 logger -t pf -p local0.info
391 con- S 0:00.04 [choparp]
393 con- I 0:00.01 /bin/sh /usr/local/bin/runmsntp.sh /var/run/runmsnt
395 con- I 0:00.00 /usr/local/bin/msntp -v -r -P no -l /var/run/msntp.
397 con- I 0:00.00 logger -p daemon.info -i -t msntp
478 con- IN 0:00.02 /bin/sh /var/db/rrd/updaterrd.sh
553 con- SN 0:00.01 /usr/local/sbin/check_reload_statusno psftpx process now. I'm unclear on how I can setup CARP. It keeps insisting that I give it an address that exists on a real interface. The public IP doesnt exist on any real interfaces, thats the entire point of the firewall. if I give it the real internal address that does exist i dont see how that will enable inbound traffic on the public ip to reach the internal ip.
see my quandry?
maybe it's time to cut my losses and give up. how frustrating
-
Not sure I understand this.. What do you mean the public ip is not on the firewall? Is this a bridge?
-
when atempting to create the CARP virtual IP I get this error
The following input errors were detected:
* Sorry, we could not locate an interface with a matching subnet for 64.62.xxx.xxx/32. Please add an ip in this subnet on a real interface.
This address doesnt exist on any "real interfaces" other than the wan port of the firewall itself and that is/was as a proxyarp virtual address. I just read the CARP faq but havent gained any clarity as a result.
-
Please supply the wan addresses in question. The CARP ip needs to lie in the same subnet as the wan IP.
-
okay. proxy arp address is now carp. i had to expand the sn mask to encompass the whole subnet instead of just the specific host.
i applied but results are still the same. i dont see any pftpx process running.
my rules allow 20,21 and 9000-9500 (for the passive ports). any others needed?
-
It needs to be "21" only.
I am really not sure why you are using port 20.
-
Oh I see what your doing.
Remove all rules, all nat rules.
Add your port forward for port 21 if your not going to use 1:1.
If you plan on using 1:1 then you need to open up the range that the firewall is expecting. The far easiest solution to this is to port forward only port 21, tcp, however.
-
Okay. This is a BIG THANK YOU for the patience.
And a big YOU'RE WELCOME to the next person that comes along wanting FTP to work.
Scenario::
- You have public addresses on your WAN interface and private addresses on your LAN interface.
- You require NAT between interfaces
- You require inbound PASSIVE AND ACTIVE FTP connections to work.
Soltution::
- Setup your WAN and LAN interfaces as normal.
- Create a Virtual IP Address for the IP you want assigned to your FTP server.
-This is your EXTERNAL ADDRESS
- You must choose CARP, not ProxyARP as the type
- You must use the subnet mask of your ip block, not /32 for the specific host as you can for ProxyARP types. - Create a NAT Port Forward for port 21, forward from the external address you used for the CARP VIP, and tell it your INTERNAL FTP SERVER IP so that it can forward the port correctly.
- Allow it to create appropriate inbound rules, or go over to rules and create a rule on your WAN interface for PORT 21 to your INTERNAL FTP SERVER IP.
I had a terrible time getting this to work, but it DOES work if you hold your arms just right, and stand in the corner, and look at the computer through a mirror while you do the configuration. :)
-
Thanks, I've add this:
http://faq.pfsense.org/index.php?sid=147209&lang=en&action=artikel&cat=1&id=178&artlang=en