FTP Filtering and FTP Helper (pftpx)
-
Hello all.
Got a bit of an issue.
I am running a number of FTP servers behind a 1.2-stable box.
Routed with no NAT.
Running FTP Helper (pftpx) and NATing all incoming port 21 traffic to it.The issue I am having is that, as the NAT is happening prior to the filtering, I cannot block traffic to one specific FTP server as all ftp destinations appear as localhost due to the NAT rules.
When I attempt to block the traffic going out over the LAN interface to the FTP server it is not filtering the traffic.
How can I block based on destination address while running FTP Helper.
-
If you can specify a passive port range on your ftp-server you could solve it without using the ftp-helper.
http://forum.pfsense.org/index.php/topic,7001.0.html -
Thank you for the reply,
The issue is that the servers :
A) Arent Mine. We host them for customers
and
B) Have services often running on high ports, so I need to be able to filter the high ports and still keep ftp reliable.I could open a range, But it would be less than elegant.
pftpx has been working great in this environment since 1.2rc1 with thousands of concurrent FTP sessions. This filtering issue is just now biting me….
I have heard the "Well, it is very unlikely that FTP will choose one of the few other ports you are using" argument. But I have close to 800 virtual servers behind this at the moment and we are building out at a good rate.
Unlikely is just not scalable. -
One thing i dont understand in your setup: You say you have multiple ftp-servers, but only one public IP, right?
Then how do you differentiate currently between the multiple servers?
I mean you can forward port 21 only to one server at a time.I just noticed: you assumed the traffic seems to come from the pfSense because of the NAT.
It's because of the pftp-proxy and NOT because of the NAT.
NAT only changes the destination and not the source.
–> port 21 traffic
Everything else gets handled by the proxy which is running on the pfSense and thus it seems as comming from the pfSense. -
I am not NATing to private IPs. All the servers are on Public IPs.
What I meant by the NATing causing the connection to go to localhost was that the Port Forwarding statement that directs the traffic to pftpx is causing that.
To get pftpx to work I am forwarding all port 21 traffic to localhost on port 8021 (Default for pftpx). Then pftpx proxies the control channel connection to the public IP of the FTP server. -
Bump….
Anyone have any ideas?? This isnt really critical... But it is proving to be a hindrance.
I would also be amenable to a solution to proxy ftp traffic that allowed me to use standard firewall rules to accomplish this.James
