Outgoing FTP (Passive) client connections

lalex86 · Nov 21, 2012, 10:23 AM

Hi,

i have problems to connect internal client to external FTP Server with passive mode. I read some old posts without finding a solution.

Clients stops with these messages:
Command: PASV
Response: 227 Entering Passive Mode (62,149,141,10,198,56)
Command: MLSD
Error: Connection timeout.

CONFIGURATION:
pfSense 2.0.1 amd64
1 WAN interface
1 LAN interface with default NAT
LAN default rule (last) is to block all
LAN rule to allow TCP port 21 to any.

I can see from the log that i correctly receive server random port 198*256+56=50744 but traffic from LAN to server:50744 is blocked.
Is there a way to allow that traffic considering it as "related" to previous connection to server:21 without opening all ports to destination FTP servers?

Thanks
Alessandro

johnpoz · Nov 21, 2012, 8:01 PM

So do you have rules on your lan that block that connection? Default lan rules are all ports outbound are open. But yes if you lock them down you could run into issues.

Are you behind some other nat? Is the ftp server behind a nat?

You actually see your firewall blocking the connection?

lalex86 · Nov 23, 2012, 2:18 PM

@johnpoz:

So do you have rules on your lan that block that connection? Default lan rules are all ports outbound are open. But yes if you lock them down you could run into issues.

Are you behind some other nat? Is the ftp server behind a nat?

You actually see your firewall blocking the connection?

Hi,

yes i changed the rule "pass all" for LAN with a more restrictive BLOCK all from LAN and added rules for each protocol admitted.
For FTP (passive) i added a rules "from LAN to any PASS".

No on my (client) side i have no other NAT, WAN interface has a public IP. On server side i tested with many FTP server (mine, internet providers etc.) and always trasfers don't work.

The connection is correctly established (see above), the client get the port (50744 for example) from the server but on the first command that required data exchange (MLSD in that case) i see in pfSense log that connection from lan to FTPserver:50744 is blocked. I know that i don't have a rule for that bu i don't what to open all outgoing from LAN. I hoped there was an FTP helper in pfSense that could consider that outgoing connection related to the established FTP connection an PASS it.
Thanks
Alessandro

lalex86 · Nov 23, 2012, 2:20 PM

nobody?

johnpoz · Nov 23, 2012, 2:44 PM

There is a helper - in the middle of big ftp copy now. Once it finishes I will lockdown my outbound connections and do my next upload to see if see your problem.

I am using
2.1-BETA0 (i386)
built on Sat Nov 17 15:45:28 EST 2012
FreeBSD 8.3-RELEASE-p4

So its possible it works in 2.1 and not in 2.01 or vice versa, etc. As soon as current upload finishes I can do some testing for you.

Just looked, currently using active connection - have you tried that?

Command: PORT 192,168,1,100,170,180
Response: 200 PORT command successful
Command: STOR VID00105.MP4
Response: 150 Opening BINARY mode data connection for VID00105.MP4
Response: 226 Transfer complete

So helper clearly changed the private IP to my public one for the server to connect back to me from source port 20.

in 2.1 under advanced system tunables there is the ftphelper did you disable it?
debug.pfftpproxy Disable the pf ftp proxy handler. default (0)

lalex86 · Nov 23, 2012, 3:16 PM

Don't know why but NOW IT WORKS! :o

What i've done:

-debug.pfftpproxy was = 0 by default, ftp doesn't worked so i set to 1
-so i set debug.pfftpproxy = 1 but it doesn't worked and i wrote this post…
-now i tried to go back to debug.pfftpproxy = 1 and ftp works!!! ::)

Thanks for you help...