FTP problem since RC3 –> RC3e and now also 1.0 RELEASE

msatter · Oct 17, 2006, 12:18 PM

??? ??? ??? ??? ???The mentioned work arround worked one time and then it stopped working ??? ??? ??? ??? ???

I am going back to RC2 again for the second time till this problem is resolved.

Greetings, Marcel

hoba · Oct 17, 2006, 1:08 PM

The workaround works fine, even after more than 1 day now at my office setup (dual wan setup utilizing policybasedrouting and a loadbalance anything rule at the bottom with 2 internal subnets, LAN and DMZ). I can use ftp in active and passive mode to different servers. I just checked and verified this once again. After applying the workaround reset states just to make sure. Also move the rule to the very top of your rules on each interface where you need it (usually internal interfaces).

sullrich · Oct 17, 2006, 2:23 PM

@msatter:

??? ??? ??? ??? ???The mentioned work arround worked one time and then it stopped working ??? ??? ??? ??? ???

I am going back to RC2 again for the second time till this problem is resolved.

Greetings, Marcel

The problem IS solved, you really need to listed to hoba!

msatter · Oct 17, 2006, 3:26 PM

Course I am listening to Hoba and I tried it two times and it just won't "budge". When I am looking at the status no UDP is showing up internal and external there is UDP connection on FTP when I connect to a external FTP.

I am using aliasses for the source and the ports in the rules (ports 20 and 21) to reach my internal FTP server. I even removed all my loadbalancing and also in the rules.

I don't have a loadbalance anything rule only the build in block anything rule at the end you don't see in the list only in the comment underneath.

I am now on RC2 on a USB stick and my HDD contains 1.0 release so I can experiment with different setting after boot-up from stick or HDD.

I don't know what is going wrong and I put all the lines in place as suggested however no result after it worked for one time.

Greetings, Marcel

edit: I can HTTP the server, I can SSH the server, I have a connect FTP to the server however no LIST-ing of the files

rsw686 · Oct 17, 2006, 6:04 PM

I had problems with FTP before RC3, however with the 1.0-RELEASE it works great. Start over from scratch. Add the FTP rule and make sure you uncheck disable FTP helper on the WAN interface. It will just work.

hoba · Oct 17, 2006, 7:08 PM

@msatter:

I am using aliasses for the source and the ports in the rules (ports 20 and 21) to reach my internal FTP server. I even removed all my loadbalancing and also in the rules.

ftp happens on more than these 2 ports. In case you have a restrictive ruleset you need to allow connections to the ftphelper to open additionally needed ports.

msatter · Oct 19, 2006, 2:27 PM

!!!!!!!!WORKARROUND!!!!!!!!!!!

Finally solved after skipping RC3 and almost REL 1.0 I found the trouble maker and now I can connect!!!!!!

It was in Ticket 15066 / 15067 I now deactivated the block all to DMZ (the other subnet) rule on the the LAN (sorry, I am really restrictive in my rules).

I can now proceed with implementing the firewall because this "not working as expected" part of the pfSense firewall drove me almost nuts because Hoba and Sullrich kept telling me that it should work as expected.

One happy pfSense user, Marcel

Check-in Number: 15067
Date: 2006-Oct-17 17:28:17 (local)
2006-Oct-17 21:28:17 (UTC)
User: sullrich
Branch:
Comment: Woops, we need the ftp anchor BEFORE the user rules, and the inital PASS rules AFTER.

This controls the initial port 21 connetion and once that is allowed through the ftp rules installed by pftpx should bypass USER_RULES.
Tickets:
Inspections:
Files:
pfSense/etc/inc/filter.inc 1.922 -> 1.923 4 inserted, 3 deleted

sullrich · Oct 19, 2006, 7:03 PM

This bug has been fixed. A new release will be forthcoming in the next couple weeks.

techatdd · Oct 26, 2006, 11:08 PM

@hoba:

The workaround works fine, even after more than 1 day now at my office setup (dual wan setup utilizing policybasedrouting and a loadbalance anything rule at the bottom with 2 internal subnets, LAN and DMZ). I can use ftp in active and passive mode to different servers. I just checked and verified this once again. After applying the workaround reset states just to make sure. Also move the rule to the very top of your rules on each interface where you need it (usually internal interfaces).

Really strange,
I have also a dual WAN config with standart gateway for most things (except port 80) on opt1 and problems with external ftp servers.
I applied the workaround on http://cvstrac.pfsense.com/tktview?tn=1138,6 and now active ftp works as it should but with passive ftp I get no directory listing form external ftp server.
Is there an other workaround for this ;)
Greetings,
techatdd

Tomba · Nov 6, 2006, 5:39 PM

Hoba tx a lot. You made my day :D Couldn't understand why it wouldn't work after RC3…