PFsense not playing nicely with SFTP (Edit) FTP over SSL

doc_holiday · Feb 16, 2007, 9:19 PM

I am using the SmartFTP client to connect to my web host via SSL Explicit. I'm doing this from within my LAN using NAT. Somehow though, NAT is not playing nicely with the exchange of keys…

[17:29:05] SmartFTP v2.0.1002.0
[17:29:05] Resolving host name "ftp.foobar.org"
[17:29:05] Connecting to 70.84.000.000 Port: 21
[17:29:05] Connected to ftp.foobar.org.
[17:29:05] 220–-------- Welcome to Pure-FTPd [TLS] –--------
[17:29:05] 220-You are user number 1 of 50 allowed.
[17:29:05] 220-Local time is now 11:29. Server port: 21.
[17:29:05] 220-This is a private system - No anonymous login
[17:29:05] 220 You will be disconnected after 15 minutes of inactivity.
[17:29:05] AUTH TLS
[17:29:05] 234 AUTH TLS OK.
[17:29:05] Connected. Exchanging encryption keys…

It hangs there and I get a tonne of entries in the firewall log of the server trying to exchange the keys with me. Do I need to open up a port for this? In my understanding, NAT was supposed to open up the necessary things for SSL so you didn't have to massage it. I might be mistaken, hence my post. (regular FTP works just fine)

sullrich · Feb 14, 2007, 10:15 PM

http://faq.pfsense.com/index.php?action=artikel&cat=1&id=164&artlang=en&highlight=winscp

doc_holiday · Feb 15, 2007, 9:34 AM

@sullrich:

http://faq.pfsense.com/index.php?action=artikel&cat=1&id=164&artlang=en&highlight=winscp

Thanks. That doesn't work. I am using the base installl and I might try updating to the latest build.

JeGr · Feb 15, 2007, 10:00 AM

As I read your log above, you're talking about FTPS, not SFTP, right? First is FTP over SSL (or TLS) but at the end "normal FTP", second is Secure-FTP via SSH. Very different from each other, so what kind of FTP are you trying to use? looks bit confused

doc_holiday · Feb 16, 2007, 5:14 PM

@Grey:

As I read your log above, you're talking about FTPS, not SFTP, right? First is FTP over SSL (or TLS) but at the end "normal FTP", second is Secure-FTP via SSH. Very different from each other, so what kind of FTP are you trying to use? looks bit confused

Yes, sorry, it is FTP over SSL.

JeGr · Feb 19, 2007, 6:32 AM

No need to blush, just wanted to straight that out since Scott's response seemed to tend towards SCP (or SFTP) instead of FTP with SSL.
Are you using the FTP helper on the LAN IF? And do you see anything in the firewall logs while connecting? I currently have no remote host playing with FTPS so can't try it out myself.

Greets
Grey

doc_holiday · Feb 19, 2007, 8:44 PM

@Grey:

No need to blush, just wanted to straight that out since Scott's response seemed to tend towards SCP (or SFTP) instead of FTP with SSL.
Are you using the FTP helper on the LAN IF? And do you see anything in the firewall logs while connecting? I currently have no remote host playing with FTPS so can't try it out myself.

Greets
Grey

I have tried this both with and without the FTP helper. I can't see anything in the logs which will help me diagnose the problem either!

Justinw · Feb 27, 2007, 11:25 PM

Your probably already know this, but anything ssl over a load balanced connection gets messed up unless you tell all ssl protocols to route out only 1 of the interfaces. Just FYI if you are load balancing