Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pftpx for routed firewall applications

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vantage
      last edited by

      Is anyone successfully using pftpx on a 1.0.1 or 1.2RC3 box in an environment with NO NAT to intelligently allow ftp through? I have a nearly full /24 of FTP servers all on public IP space. At the moment I have 21 and 1024:65535 open to these servers. But some of them have other services open on ports in the 1024:65535 range.

      I have found very little in the way of how-to's and man pages on doing this. the pftpx manpage makes this sound easy, but if it is easy why is the functionality not included in pfsense?
      am I just a shellcmd away from having this running? or is this planned in an upcoming release?  1.3 maybe?

      Thoughts?

      1 Reply Last reply Reply Quote 0
      • V
        vantage
        last edited by

        ok,
        This was pretty easy. Here is how I did this on 1.0.1

        1.) disable ftp-helper on all interfaces.
        2.) start pftpx with no flags..  (i.e  # pftpx  )  or start it with the shell command window in the diagnostics menu
        3.) create a redirect rule redirecting all tcp traffic to port 21 (ftp in the port dropdown) to 127.0.0.1 port 8021.
                (Select the check box to auto create the firewall rules)

        This took care of it. Now I can make connections to any ftp server that I have an "allow ftp" rule for. Both passive and active.
        Much cleaner than having to open a lot of high ports to allow passive.

        This would be a great option to add into 1.2 final. It is VERY simple to enable and could probably easily be set up as an option to the ftp helper setting that already exists.

        1 Reply Last reply Reply Quote 0
        • V
          vantage
          last edited by

          This has been working well for 2 days now. LOTS of connections going through it. (100s of thousands) 
          I think I am missing something. This is a fairly common need, but I haven't been able to find any other posts about people setting up this functionality.
          Why isn't this in the default install? Am I missing something here? Did I just break something badly that I will regret on Monday?

          1 Reply Last reply Reply Quote 0
          • R
            regis
            last edited by

            Huuuuuuuuuge thanks

            It's been a week now that i'm messing with pfSense in front of several FTP servers and all connections were dropped. I've LAN and WAN bridged, no nat (public addresses everywhere)

            your setup works perfect

            just a little question : how  do you start pftpx on pfSense reboot ?

            1 Reply Last reply Reply Quote 0
            • V
              vantage
              last edited by

              Regis,
              I added an RC script. I would prefer to add this into the config.xml file, but every time I save the config, The <shellcmd>I add gets overwritten. I can dig it up for you in the morning if that would help.

              I have had this up and running since the day I started this thread.  I currently have over 20,000 concurrent FTP sessions going through it.  It has been very stable. Pftpx is much nicer than ftp-proxy.</shellcmd>

              1 Reply Last reply Reply Quote 0
              • R
                regis
                last edited by

                thanks for your answer Vantage

                yes i would be interested in seeing how you manage pftpx start

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.