Ftp passiv mode problem with FW Rules
-
Hi,
I want to know if it is possible or how to set up a special rule on firewall like a related rule for ftp outbound in passive mode, when only a few ports a allowed to pass thru PFSENSE.
I explain:
I have setup 5 vlans from my physical lan interface
On each, I only allow port 80, 21, 21, 53, 22 to pass thru fw
Then problem is that if i want to ftp outside my lan, i have to force ftp client in active mode (passive don't run at all) or to allow all ports from 1024 to 65535….thanks a lot
regards -
I've used FTP servers that allowed you to configure which ports it would use for passive mode. Does the one you are using allow that?
You are referring to a server, right?
-
Hi,
no, the problem is not with th internal ftp server, but with all the others. For example, if i try to download drivers from HP web site, i'm redirecxt to ftp server from HP, but connection abort cause of timoute du to passiv mode. the client (me) and the server (hp)can't establish connection to the negociated port du to firewall rules. The actual solution is for me to allow all ports from 1024 to 65535 opened from inside to outside, then i allow (and don"t want that) with no restriction MSDRP, VNC, TORRENTS, DIRECT CONNECT,…etc etc...........
I would like, to open the related ftp passiv port only when a FTP connection is made from inside to outside.
ex
local distant
| -------------port 21 -----------> | (connection allowed)
| <------ pasv to port 2563 ----- | (firewall open from ip inside to ip outside port 2563)
| <-- ftp passv to port 2563 --> |
| <-- ftp passv to port 2563 --> | (firewall maintain allowed port 2563)
| <-- ftp passv to port 2563 --> |
| ------- connection closed ----> | (firewall close port 2563)Som years ago, i had a allied telesyn router modem that done this very well, but with only on LAN an no PFSENSE services
regards
-
I thought that 'active' was the default setting for clients like IE ?
-
probably, but not for firefox neither for filezilla or other FTP clients
-
I think you might be mixing up terminology, which is why I thought you were talking about a local FTP server. According to an FTP client I use, passive mode would be the mode where the FTP server is the one listening for the data connections and active mode would be the mode where the FTP client is the one listening for the data connections. Most public FTP servers would be configured to be able to work with passive mode, since it is easier for them to do that than to give instructions to everyone for configuring their router or firewall.
In either case, depending on the program you use, for a client there may be an option to configure which ports it uses for active mode, and for a server there may be an option to configure which ports it uses for passive mode. The side that will be listening for the data connection is the one that determines which port number to use for the connection.
-edit-
Rereading your post, I realized you might be trying to restrict outbound connections to only certain allowed ports. Is this correct? If that is the case, you probably need to have something proxy the FTP connections and force active mode instead of passive.
-
You're right, i restrict all outbound port except 80,21,20,443,22,1723 (udp or tcp). I know that in passive mode, server ask client to connect to a random port from 1024 to 65535, except when the administrator defined manually the ports, but how to know that??
Before i used pftpx proxy for outbound connection but in 2.0 pftpx does not exist no more. Then I suppose i don't have any other solution keeping ports 1024 to 65535 every time open.
regards -
Try out newer snapshots than this post it should be fixed.
-
With the latest snapshot "2.0-BETA1 built on Sun Apr 4 08:35:10 EDT 2010" outbound (from LAN) passive mode ftp seems to be broken, active mode works fine.
It seems that the ftp client is connecting to the WAN address of pfSense instead of the real address of the FTP server for the data connection when passive mode is used, anyone else notice this?
I'm not restricting outbound connections on LAN interface btw.
-
I'm seeing this as well with pfSense-2.0-BETA1-20100406-1034, kpa.
-
yep - seeing this on Apr 5 20:35:18 build with pasv to external 3rd party ftp servers
seperately
active does not work for me either - not sure if its because of double nat [ lan->pfsnse->adsl_router(s) ] or just allowing huge fw inbound ports on wan[ from 8.1 updater run on 8.0 box - still says 8.0 ??? is this right ??? ]
-
I've been running an old alpha for at least 6 months. When was the last build that worked for you guys?
I wonder if this change is implicit:
http://redmine.pfsense.org/repositories/revision/3/53e2d23469c707bf7d66ad680a0b1c422f2e6548
-
I think you probably meant complicit, not implicit :)
-
Perhaps but in either case downgrading to 2.0-BETA1-20100331-1228 looks to have resolved this issue for me.
Does anyone care to file a bug report?
-
There is something broken in the FTP proxy since changes last week. Ermal is on vacation this week, he'll fix when he's back next week.
-
On snap 20100409-1808 whenever I try to start an FTP transaction I get a panic. For the record, it may be a conflict with OpenVPN since I'm shunting all data down an OPVN tunnel rather than the WAN…
-
Try newer snaps
-
Seems to be working again on "2.0-BETA1 built on Tue Apr 13 19:26:36 EDT 2010" snapshot, tested both active and passive mode. I didn't test with restrictive outbound rules on LAN.
Thanks Ermal :)
-
Hi guys, I have always problems with the passive, can I ask for some HowTo to pf2.0 or advice set it properly
EDITED
OK it's working without any rules in FW … SNAP from 13th
-
I still have a problem on "2.0-BETA1 built on Wed Apr 14 19:40:01 EDT 2010". Whenever an FTP transaction starts, it's OpenVPN that crashes.
This pf is setup to route through one of 7 OVPN instances…
