Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ftp passiv mode problem with FW Rules

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    24 Posts 13 Posters 9.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cipey
      last edited by

      Hi,
      I want to know if it is possible or how to set up a special rule on firewall like a related rule for ftp outbound in passive mode, when only a few ports a allowed to pass thru PFSENSE.
      I explain:
      I have setup 5 vlans from my physical lan interface
      On each, I only allow port 80, 21, 21, 53, 22 to pass thru fw
      Then problem is that if i want to ftp outside my lan, i have to force ftp client in active mode (passive don't run at all) or to allow all ports from 1024 to 65535….

      thanks a lot
      regards

      1 Reply Last reply Reply Quote 0
      • E
        Efonnes
        last edited by

        I've used FTP servers that allowed you to configure which ports it would use for passive mode.  Does the one you are using allow that?

        You are referring to a server, right?

        1 Reply Last reply Reply Quote 0
        • C
          cipey
          last edited by

          Hi,
          no, the problem is not with th internal ftp server, but with all the others. For example, if i try to download drivers from HP web site, i'm redirecxt to ftp server from HP, but connection abort cause of timoute du to passiv mode. the client (me) and the server (hp)can't establish connection to the negociated port du to firewall rules. The actual solution  is for me to allow all ports from 1024 to 65535 opened from inside to outside, then i allow (and don"t want that) with no restriction MSDRP, VNC, TORRENTS, DIRECT CONNECT,…etc etc...........
          I would like, to open the related ftp passiv port only when a FTP connection is made from inside to outside.
          ex
          local                                    distant
          |  -------------port 21 -----------> |  (connection allowed)
          | <------ pasv to port 2563 ----- | (firewall open from ip inside to ip outside port 2563)
          | <-- ftp passv to port 2563 --> |
          | <-- ftp passv to port 2563 --> | (firewall maintain allowed port 2563)
          | <-- ftp passv to port 2563 --> |
          | ------- connection closed ----> | (firewall close port 2563)

          Som years ago, i had a allied telesyn router modem that done this very well, but with only on LAN an no PFSENSE services

          regards

          1 Reply Last reply Reply Quote 0
          • T
            TuxTiger
            last edited by

            I thought that 'active' was the default setting for clients like IE ?

            1 Reply Last reply Reply Quote 0
            • C
              cipey
              last edited by

              probably, but not for firefox neither for filezilla or other FTP clients

              1 Reply Last reply Reply Quote 0
              • E
                Efonnes
                last edited by

                I think you might be mixing up terminology, which is why I thought you were talking about a local FTP server.  According to an FTP client I use, passive mode would be the mode where the FTP server is the one listening for the data connections and active mode would be the mode where the FTP client is the one listening for the data connections.  Most public FTP servers would be configured to be able to work with passive mode, since it is easier for them to do that than to give instructions to everyone for configuring their router or firewall.

                In either case, depending on the program you use, for a client there may be an option to configure which ports it uses for active mode, and for a server there may be an option to configure which ports it uses for passive mode.  The side that will be listening for the data connection is the one that determines which port number to use for the connection.

                -edit-

                Rereading your post, I realized you might be trying to restrict outbound connections to only certain allowed ports.  Is this correct?  If that is the case, you probably need to have something proxy the FTP connections and force active mode instead of passive.

                1 Reply Last reply Reply Quote 0
                • C
                  cipey
                  last edited by

                  You're right, i restrict all outbound port except 80,21,20,443,22,1723 (udp or tcp). I know that in passive mode, server ask client to connect to a random port from 1024 to 65535, except when the administrator defined manually the ports, but how to know that??
                  Before i used pftpx proxy for outbound connection but in 2.0 pftpx does not exist no more. Then I suppose i don't have any other solution keeping ports 1024 to 65535 every time open.
                  regards

                  1 Reply Last reply Reply Quote 0
                  • E
                    eri--
                    last edited by

                    Try out newer snapshots than this post it should be fixed.

                    1 Reply Last reply Reply Quote 0
                    • K
                      kpa
                      last edited by

                      With the latest snapshot "2.0-BETA1 built on Sun Apr 4 08:35:10 EDT 2010" outbound (from LAN) passive mode ftp seems to be broken, active mode works fine.

                      It seems that the ftp client is connecting to the WAN address of pfSense instead of the real address of the FTP server for the data connection when passive mode is used, anyone else notice this?

                      I'm not restricting outbound connections on LAN interface btw.

                      1 Reply Last reply Reply Quote 0
                      • R
                        react
                        last edited by

                        I'm seeing this as well with pfSense-2.0-BETA1-20100406-1034, kpa.

                        1 Reply Last reply Reply Quote 0
                        • D
                          DennisBagley
                          last edited by

                          yep - seeing this on Apr 5 20:35:18 build with pasv to external 3rd party ftp servers

                          seperately
                          active does not work for me either - not sure if its because of double nat [ lan->pfsnse->adsl_router(s) ] or just allowing huge fw inbound ports on wan

                          [ from 8.1 updater run on 8.0 box - still says 8.0 ??? is this right ??? ]

                          1 Reply Last reply Reply Quote 0
                          • R
                            react
                            last edited by

                            I've been running an old alpha for at least 6 months. When was the last build that worked for you guys?

                            I wonder if this change is implicit:

                            http://redmine.pfsense.org/repositories/revision/3/53e2d23469c707bf7d66ad680a0b1c422f2e6548

                            1 Reply Last reply Reply Quote 0
                            • D
                              danswartz
                              last edited by

                              I think you probably meant complicit, not implicit :)

                              1 Reply Last reply Reply Quote 0
                              • R
                                react
                                last edited by

                                Perhaps but in either case downgrading to 2.0-BETA1-20100331-1228 looks to have resolved this issue for me.

                                Does anyone care to file a bug report?

                                1 Reply Last reply Reply Quote 0
                                • C
                                  cmb
                                  last edited by

                                  There is something broken in the FTP proxy since changes last week. Ermal is on vacation this week, he'll fix when he's back next week.

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    MrHorizontal
                                    last edited by

                                    On snap 20100409-1808 whenever I try to start an FTP transaction I get a panic. For the record, it may be a conflict with OpenVPN since I'm shunting all data down an OPVN tunnel rather than the WAN…

                                    1 Reply Last reply Reply Quote 0
                                    • E
                                      eri--
                                      last edited by

                                      Try newer snaps

                                      1 Reply Last reply Reply Quote 0
                                      • K
                                        kpa
                                        last edited by

                                        Seems to be working again on "2.0-BETA1 built on Tue Apr 13 19:26:36 EDT 2010" snapshot, tested both active and passive mode. I didn't test with restrictive outbound rules on LAN.

                                        Thanks Ermal  :)

                                        1 Reply Last reply Reply Quote 0
                                        • ?
                                          Guest
                                          last edited by

                                          Hi guys, I have always problems with the passive, can I ask for some HowTo to pf2.0 or advice set it properly

                                          EDITED

                                          OK it's working without any rules in FW … SNAP from 13th

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            MrHorizontal
                                            last edited by

                                            I still have a problem on "2.0-BETA1 built on Wed Apr 14 19:40:01 EDT 2010". Whenever an FTP transaction starts, it's OpenVPN that crashes.

                                            This pf is setup to route through one of 7 OVPN instances…

                                            pf-ftp-ovpn-crash.gif
                                            pf-ftp-ovpn-crash.gif_thumb

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.