Passive FTP to server behind NAT fails
-
In passive mode the ftp client needs to be able to connect back to the server on a high port that the server tells it to. I've never used windows ftp services, but with most ftp servers you can configure the server to give back a range of ports that the client can connect back to in passive mode. You need to add that range of ports in your rules to allow passive mode to work. If you can't configure the windows service to restrict a range of ports, you need to open up >1023 to the ftp server which isn't terribly ideal.
Best bet is to look at the linux firewall rules and duplicate them.
-andy
-
Unfortunately, the Linux ruleset was identical to what we've setup in pfSense. DNAT port 21 into our FTP server from the outside world. That's all we had to do to get iptables to handle active and passive FTP sessions. PfSense, on the other hand, doesn't want to play nice with passive sessions…despite having an FTP helper that Linux didn't have.
The latest FTP server for Windows (7.5) seems to support passive port range limits, so I may be stuck with that.
-
So, I did find a method to limit passive FTP port range in Window's FTP server, and I tested it inside the LAN to verify that it worked. I've NAT'ed the port range into the FTP server in the same manner I did with port 21, but it doesn't work from outside the firewall still.
Do I/can I need to disable the FTP helper at this point?
-
Are you absolutely sure that the PASV ports took effect? I have had never ending problems with IIS 6 using whatever PASV ports it feels like even though I have clearly stipulated what they should be. What I suggest you do is try to gain access from outside and monitor the firewall log in realtime to see if indeed you are connecting on the wrong port. I'm 99% confident this is a problem with IIS rather than PFsense.
-
I've already done both tests. I connected from a system on the LAN and ran a netstat while transferring data. The connection was on one of my pre-defined ports.
I also was watching the dynamic firewall log on the firewall while I tried to connect from a machine outside the LAN. No log entries were generated that applied to the source IP of the client system I was connecting from. In fact, no log entries were generated at all during the ~5 minutes I was testing.
I'm running the IIS 6 FTP service on a Win2k8 box, not the updated FTP 7.5. I used the supplied admin script to specify the port range that the FTP server should use when a passive client connects.
-
Bump.
-
Bump.
-
Update to latest snapshot.
-
I updated to the Sep. 28th snapshot just now and there is no change in behavior. One possibly relevant bit of information…when I do a netstat on the client that is connecting to the FTP server from outside the firewall, I show two connections heading to port 21 even in passive mode. That doesn't seem correct to me, as I would think the second session would be to one of the high ports that the FTP server is configured to (and correctly does) hand out to the connecting client.
-
Bump.
-
Repeatedly bumping your thread is unlikely to help.
-
Nothing else has worked. ::)
Just being the squeaky wheel hoping for some grease.
-
May i suggest you try another ftpd to verify it isen't the ftpd?
Or atleast bring some screenshots for us, of your port configuration. Maybe another point of view might help.
I've ran 3 different linux ftpds in the last 2 weeks, both passive and active mode worked. Tho none on windows.
But i did have to disable FTP helper to get passive working flawless. -
Hmm…I don't have any other OS than Windows to try at this particular site. I can certainly post my config, however.
I've looked around for a bit trying to find where I can disable the FTP helper, but have not found anything in the GUI. I think it used to be in the interface config in 1.2X, but I don't see it. Is it defined elsewhere in the GUI, or do I have to modify files?
![NAT rules.GIF](/public/imported_attachments/1/NAT rules.GIF)
![NAT rules.GIF_thumb](/public/imported_attachments/1/NAT rules.GIF_thumb) -
There are also other free FTP servers for Windows…
-
That use AD for auth as I require?
-
Does it need to have? It is about checking whether FTP in general works…
-
But i did have to disable FTP helper to get passive working flawless.
Can you tell me how you did that?
I can't seem to find the setting in 2.0 perhaps I'm looking in the wrong places ???
-
Yeah, I'm simply not seeing the option to disable it anywhere. I upgraded to the newer FTP 7.5 for IIS, and passive still doesn't work. It would appear that the FTP helper is "helping" by telling all external clients to connect to port 21 instead of the defined port range that is mapped in via NAT and configured on the server to use.
-
Yeah, I'm simply not seeing the option to disable it anywhere. I upgraded to the newer FTP 7.5 for IIS, and passive still doesn't work. It would appear that the FTP helper is "helping" by telling all external clients to connect to port 21 instead of the defined port range that is mapped in via NAT and configured on the server to use.
I'm having the same issue on 2 different boxes
One is the firewall infront of a server (of which one of the server functions is ftp supplied by pure-ftpd running on centos)
The other one is my firewall @ home,
I have issues with a lot of FTP servers and it seems to be caused by this, reconnect and all is well, it's always occurring when you need to open a Pasv connection to the ftp (Such as Doing a MSLD, LIST, PUT, GET.etc)
I seem to recall having issues on pfSense 1.3 but turned the ftp helper off and all was well, can't find that option on 2.0 anywhere though.