Solve–>ftp-proxy problem

awwei

Dear all

I find some problem about ftp can not use.
    In /etc/inc/filter.inc file,
    $natrules .= "rdr on $realif proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
    if I change it to
    $natrules .= "rdr pass on $realif proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
    I can use ftp through very well,I don't know why,share this information to everyone.

Awwei

sullrich

Which site could you not use?  I just tested ftp.freebsd.org and ftp.microsoft.com from 2.0 and it worked fine?

awwei

Dear sullrich

My pfsense version is "2.0-ALPHA-ALPHA built on Tue Nov 25 14:59:09 EST 2008".
        Wan port uncheck  "Disable the userland FTP-Proxy application",lan port
          check.
        I use Windows xp ftp program to test.
        I can not connect to ftp.freebsd.org,unless I addon "pass" to natrules.

Awwei

sullrich

The FTP proxy would only affect the LAN interface (outgoing to internet from LAN in this case).

Do you have a firewall turned on the XP machine?

cmb

awwei:  can you post the contents of your /tmp/rules.debug from status.php?

awwei

Dear sullrich

I have try to turn off firewall.But still cannot work.

awwei

Dear cmb

Sure…..... /tmp/rules.debug list as below

#System aliases

loopback = "{ lo0 }"
HiNet4M1M = "{ bfe0 }"
LAN = "{ bge1 }"

User Aliases

set loginterface bfe0
set loginterface bge1
set optimization normal
set limit states 47000

scrub on $HiNet4M1M all    fragment reassemble
scrub on $LAN all    fragment reassemble

nat-anchor "ftp-proxy/"
nat-anchor "natearly/"
nat-anchor "natrules/*"

Outbound NAT rules

Subnets to NAT

tonatsubnets    = "{ 192.168.210.0/24  }"
no nat on $HiNet4M1M to port tftp
nat on $HiNet4M1M from $tonatsubnets port 500 to any port 500 -> 211.20.66.190/32 port 500
nat on $HiNet4M1M from $tonatsubnets port 4500 to any port 4500 -> 211.20.66.190/32 port 4500
nat on $HiNet4M1M from $tonatsubnets port 5060 to any port 5060 -> 211.20.66.190/32 port 5060
nat on $HiNet4M1M from $tonatsubnets to any -> 211.20.66.190/32

#SSH Lockout Table
table <sshlockout>persist

Load balancing anchor

rdr-anchor "relayd/*"

FTP proxy

rdr-anchor "ftp-proxy/"
rdr-anchor "tftp-proxy/"

rdr on bge1 proto tcp from any to any port 21 -> 127.0.0.1 port 8022
rdr on bge1 proto udp from any to any port tftp -> 127.0.0.1 port 6969

IMSpector rdr anchor

rdr-anchor "imspector"

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "ftpsesame/"
anchor "relayd/"
anchor "firewallrules"
#---------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in  all label "Default deny rule"
block out  all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

snort2c

table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

package manager early specific hook

anchor "packageearly"

carp

anchor "carp"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
antispoof for bfe0

block anything from private networks on interfaces with the option set

antispoof for $HiNet4M1M
block in  quick on $HiNet4M1M from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in  quick on $HiNet4M1M from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in  quick on $HiNet4M1M from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in  quick on $HiNet4M1M from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for bge1
anchor "spoofing"

loopback

anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

anchor "firewallout"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state label "let out anything from firewall host itself"

make sure the user cannot lock himself out of the webConfigurator or SSH

anchor "anti-lockout"
pass in quick on bge1 from any to (bge1) keep state label "anti-lockout rule"

NAT Reflection rules

package manager late specific hook

anchor "packagelate"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
anchor "ftp-proxy/*"

enable ftp-proxy

pass in on $LAN inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost"
pass in on $LAN inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"

User-defined aliases follow

User-defined rules follow

pass  in  quick  on $LAN  from 192.168.210.0/24  to <vpns>keep state  label "NEGATE_ROUTE: Negate policy route for local network(s)"
pass  in  quick  on $LAN  from 192.168.210.0/24  to <direct_networks>keep state  label "NEGATE_ROUTE: Negate policy route for local network(s)"
pass  in  quick  on $LAN  route-to ( bfe0 211.20.66.161 )  from 192.168.210.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"

VPN Rules

anchor "limitingesr"

IMSpector

anchor "imspector"

uPnPd

anchor "miniupnpd"</direct_networks></vpns></sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></sshlockout>

eri--

Does it work if you change the destination to not 127.0.0.1 on default LAN rule?

Skud

I've been having problems with HP's FTp site for the last few days. I thought it was HP's problem, but then I disabled the FTP proxy and it works fine now..

Just FYI..

Riley

eri--

Should be fixed on later snapshots.
And for HP it need the RC959 workaround on system advanced.

awwei

Dear ermal

I upgrade pfsense version to Mon Dec 1 04:58:27 EST 2008.
    It's okay to use ftp

Thanks ermal