Filtering ftp behind pftpx

vantage · Apr 29, 2008, 3:07 PM

I have pftpx running without flags. Started manualy. (Running on default port of 8021). It is a routed firewall. All public IPs on both sides. I am proxying FTP for several hundred Web/FTP servers.

I have a RDR rule that amounts to this:

" rdr on em1 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 "

I have a filter rule:
" pass in log quick on em1 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state "

FTP is working, but I have a few hundred ftp servers behind this setup. It works great, but I have yet to figure out a way to block FTP to one server and still allow it to the rest.

Since the FTP connection is RDRed to 127.0.0.1 I would don't have individual destinations to filter based on. and filtering on the internal interface isnt working (I assume due to a state table entry or a PFTPX Anchor entry)

Any thoughts? (AKA "Please HELP")

James

hoba · Apr 29, 2008, 8:40 PM

What do you mean by "started manually without flags"? This is not really supported and iirc we use ftpsesame for routed and bridged scenarios. I guess you could use a rdr rule from any to <ip of="" the="" blocked="" ftp="" server="">instead of from any to any and send that to some nonexisting port and let the connection time out this way. This is not doable through the gui though but it looks like you already are playing around below the hood anyway ;)</ip>

vantage · Jun 4, 2008, 1:50 PM

This is not doable through the gui… But it is pretty easily doable through the command entry window, or the command line.

1.) Basicaly set up a nat for ftp to 127.0.0.1 port 8021.

2.) Then disable all ftp helper boxes on all interfaces.

3.) then start pftpx from the command line with no flags.

4.) Profit

I have been unable to get FTP working through the gui with a routed firewall. This was the only method I could get to work. and it works well. Other than the destination address issue. The nat rule thing is a good idea. That may solve my issue. Thanks.

It would be nice if this functionality could be included in an update or new version (1.3??).

quesy · Jul 21, 2008, 9:34 PM

I do the same as you are, one problem with this tho. Everytime i apply something from webgui it will reset my rdr rule. Any solution to this ?

vantage · Dec 2, 2008, 4:29 AM

@hoba:

What do you mean by "started manually without flags"? This is not really supported and iirc we use ftpsesame for routed and bridged scenarios. I guess you could use a rdr rule from any to <ip of="" the="" blocked="" ftp="" server="">instead of from any to any and send that to some nonexisting port and let the connection time out this way. This is not doable through the gui though but it looks like you already are playing around below the hood anyway ;)</ip>

Could you point to any docs on using ftpsesame on a routes pfsense instance without "Fooling around under the hood". I haven't been able to find any, But my searchfoo might just be that week. I started using pftpx to do this because it was the only way I found to not have to open high ports.

As for getting the RDR rule to stick.. I added it through the GUI… so it is in the config and it shouldn't just "Go Away". I am starting pftpx manually though. I tried to add the command to start it to the config file manualy, but it is erased each time I make a config change. So manualy it is for now.