FTP broken again after update to 2.2-RC
-
You do understand that using ftps - no helper/proxy on pfsense can do anything, since the info in the control channel is encrypted.
If your server is behind pfsense, and client is on public internet.. If client is using passive, ftps would not allow pfsense helper/proxy to change the IP or see what port to allow into the server.
If your going to want to allow passive ftp server behind pfsense using ftps, then you would have to set the ftp server to send the public IP, not its private - and you would have to setup forwards on pfsense to send the ports the server would send to to client for the passive connection.
As I said in the beginning - most ftp issues have been user not understanding the protocol ;) In this case it does seem to me that the ftp helper/proxy is not working. When I get some more time I can do some better testing. But in the test I did this morning - it was not working.
edit: as you can see from the attached. A sniff on pfsense wan when trying to make a active connection to ms ftp server, the port command has not been changed to pfsense public IP. It is still the private, and clearly ms ftp server could not connect to that IP ;)
-
I have not test inbound from public to ftp server behind pfsense.
Works just fine as long as the FTP server behind pfSense is set up to use the WAN IP address for passive FTP…
@OP:
- Active FTP across NATed firewalls is just a foolish idea and pure waste of time.
- For passive FTPS, you MUST forward the entire passive port range used by the FTP server. The helper won't do a zilch there, cannot see the traffic at all since it's encrypted (duh!).
-
"Works just fine as long as the FTP server behind pfSense is set up to use the WAN IP address for passive FTP… "
So your saying the helper/proxy is opening the ports, but not changing the IP.. That wouldn't seem to be working to me ;) Normally the helper/proxy does both it changes a private IP to the public in the command and forwards/allows the clients connection to port the server said to use.
-
Frankly, unless you run some public FTP server behind pfSense, the helper is just a piece of nonsense. Noone sane will use unencrypted FTP sending credentials in plaintext.
-
Preaching to the choir dude ;) Just posting what I see.. Like I said I hadn't tested inbound.. But clearly the active outbound is not working as it should from my test.
I don't get why anyone uses ftp or even ftps these days - sftp is much better solution, and no split connections with data and control.. Just 1 single port to use ;)
-
Guys I've opened a ticket for this, anyway.
Just to remember, we're talking here about FTP Clients behind PFSense. For server I think the question is much easier to solve in this case.
Unsecured FTP must be wiped from internet 8) but at least here in Brazil there is a LOT of public servers using it yet…With wireshark I can reproduce the situation noted by the dude here...Private IP instead of Public IP, so I can confirm that ftp helper isn't working. Tested on snapshots from 23/11 and today.
-
I don't get why anyone uses ftp or even ftps these days - sftp is much better solution…
Do you deal with end-users? :) You don't deal with end-users, do you? ;) Specifically, you don't deal with end-users who, 99 times out of 100, have barely heard of FTP, do you? :D Good luck helping them to download a large file from your company with SFTP. ;D
More to the point, I would happily embrace SFTP if Windows Explorer and Internet Explorer understood those protocols, because that's what I'm forced to deal with most of the time with end-users.
-
Ahhhh… WinSCP.
But no - Not serving up files FTP to a million people.
For that I use HTTPS file server.
-
I've just upgraded to 2.2 and my ftp connection has gone down also. The DDNS is resolving to my WAN ip ok but it's getting a "connection timed out, could not connect to server" error. The rules haven't changed so I'm figuring this is a bug?
-
For that I use HTTPS file server.
I also have to deal with clients and partners that need to upload files, sometimes many Gigabytes. Nope, I'm stuck with dumb old FTP for the foreseeable future.
-
Well from comment on bug you submitted looks like going to be a bit before fixed..
https://redmine.pfsense.org/issues/4210So looks like just have to make it work old school ;)
So if you want to use active from client behind pfsense to server outside pfsense, have to have the client present your public IP.. And use specific ports that you have setup a forward for in pfsense. Filezilla can do this no problem. Other clients might not be able to do this. Or just use passive connections, then nothing needs to be done.
As to servers behind pfsense - if the clients use active you wouldn't have issues because server would be connecting to them from source 20. If you want your clients to be able to use passive. Then on your server you need to make sure it presents your public IP, and uses specific ports that you have forward. Again filezilla ftp server does this for sure - others maybe not?
-
@KOM:
I don't get why anyone uses ftp or even ftps these days - sftp is much better solution…
Do you deal with end-users? :) You don't deal with end-users, do you? ;) Specifically, you don't deal with end-users who, 99 times out of 100, have barely heard of FTP, do you? :D Good luck helping them to download a large file from your company with SFTP. ;D
More to the point, I would happily embrace SFTP if Windows Explorer and Internet Explorer understood those protocols, because that's what I'm forced to deal with most of the time with end-users.
The last time I had to deal with this sort of nonsense I packaged up Filezilla into an msi with a config already in it and a little video showing what to do that came up on the first run of FZ. I also sent instructions on how to get it out via group policy.
The killer bit was telling them that Filezilla was able to make the transfer go faster.
A small white lie and convenience got around 1500 odd people using SFTP through OpenSSH to a Linux box with Samba wired up to AD for the internal connections rather than a Win 2003 server with FTP on it that could finally be laid to rest.
It can be done but it takes a bit of time and effort. Don't even think of trying to pull the "it's insecure" argument against FTP. The people who use it - almost by definition - either don't care or can even understand the argument in the first place.
-
I'm not sure if your lie is all that little or fast…
When I do "many gigabytes" of file transfers from denmark to maryland, I use filezilla. Its fairly freakin fast.
And simple.
I like your idea. People might be motivated with the "its fast" argument.
Another thing I like about winscp is it can be set to aggressively reconnect forever and never give up.
A great thing to have if the ISP sucks.
-
Well…in my case, for now i've returned to 2.1.5. Ftp connectvity is importante here, our legacy ERP uses standard ftp to update itself...if you're thinking about +- 50 workstations...
-
from https://redmine.pfsense.org/issues/4210
"…not something we're looking into for 2.2 at this point.."Does it means that 2.2 will be released with ftp proxy broken? :o
Can somebody test jftpgw or frox port via pkg add to see if it's an workaround until native ftp proxy get fixed?
-
2.2 has no FTP proxy and will be released without one. It only helped with active mode clients behind NAT anyway, and only with a simple single public IP setup. Passive mode clients, what essentially everything does by default in recent years (minus the Windows command line FTP client) doesn't need a proxy. Servers can be configured easily in a means that doesn't require a proxy. You have to do so with FTPS anyway, which is the only FTP anything you should be using at this point.
Time to move on from FTP, folks.
-
-
Thanks Chris. I do not recomend ftp also, but you know that many sites still use it. :)
-
To the sites that still use it – you would hope atleast it was ftps, which breaks the helper anyway. The helper is need it 2 setups.. Where your wanting your client behind pfsense to use a active connection to public server. Or your running server behind pfsense and you want to allow passive clients.
If client use passive no helper needed, if your running server you would hope you were running ftps anyway which would of required the manual firewall rules anyway because helper could not see the traffic to fix up. So I don't really see this as loss of anything of real function.. And you really shouldn't be using ftp anyway ;)
