FTP problem
-
thanks ermal! I'll give it a try.
Roy…
-
nanobsd - Wed Jan 19 12:45:14 - net5501:
passive FTP client –-- {NAT - m0n0wall} --- (internet) --- {pfSense - 1:1 NAT} --- {FTP Server} => Works!
passive FTPS client --- {NAT - m0n0wall} --- (internet) --- {pfSense - 1:1 NAT} --- {FTP Server} => Works! (only tested implicit mode)pfSense side Notes:
1. 1:1 NAT, port 21 pass rule to FTP Server
2. 1:1 NAT, passive port range pass rule to FTP Server
3. 1:1 NAT, port 990 pass rule to FTP Server
4. debug.pfftpproxy set to 1
5. FTP Server configured to use its public IP for passive connections
6. FileZilla FTP Client.Only did limited testing but with the above configuration I had zero problems!
Thanks ermal!
Roy...
-
Normally you should have not problems even without disabling the ftpproxy.
Did you try with the proxy active? -
ermal,
I still had had ftp problems with "Tue Jan 18 04:33:29" but as I did not see any mention of any new proxy fixes for "Wed Jan 19 12:45:14", I did not test that build before turning off the service. After the next build, I will re-enable it and re-test.
BTW, since it works fine with it off, what advantages is there to running the ftp proxy?
Roy…
-
ermal,
I still had had ftp problems with "Tue Jan 18 04:33:29" but as I did not see any mention of any new proxy fixes for "Wed Jan 19 12:45:14", I did not test that build before turning off the service. After the next build, I will re-enable it and re-test.
BTW, since it works fine with it off, what advantages is there to running the ftp proxy?
Roy…
The point of the proxy is that you do not open up a hole in your firewall with all these high-ports…if you can talk about security with ftp you should at least use that proxy...
-
well that make sense. so with the proxy I don't need any port open to the FTP server or just port 21? also, do I use my FTP server's private or public IP when configuring its passive IP?
Thanks,
Roy…
-
The only thing that should be done is to NAT Port 21tcp to your servers private ip address. The proxy should handle everything else. (also active or passive)
At least I know this function from other firewall products I never used incoming ftp with pfSense. Well, as I've stated before, ftp should be exchanged with a more secure protocol like ssh… -
well I normally only run my ftp server with my passive ports and port 990 open and use implicit FTPS exclusively. so will the ftp-proxy work with FTPS or will I still need to open my passive ports?
Roy…
-
It would not touch at all FTPS.
-
with only port 21 open and today's build - Jan 20 06:00:12 - and "debug.pfftpproxy" set to 0 (I assume that re-enables it), filezilla client returns:
Error: Connection timed out
Error: Failed to retrieve directory listingRoy…