Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP Client to outside Server

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      andi_snoop
      last edited by

      Hello since changing to pfSense 2.2 i cannot connect anymore to an outside FTP Server.
      I have a script which use the windows FTP Command line tool to put a file to an external FTP Server.

      I get regardless active or Passive connection an error ; "Unable to build data connection: Connection timed out"

      i also tried setting debug.pfftpproxy to 0 or 1

      alle 4 szenario the same ,,,,

      Whats going wrong here?

      I didn't see anything in the system loggin - no blocking :/

      anybody can help me?

      1 Reply Last reply Reply Quote 0
      • G Offline
        GroundX
        last edited by

        Do a packet capture and see what traffic that reaches the firewall.

        1 Reply Last reply Reply Quote 0
        • A Offline
          andi_snoop
          last edited by

          nothing found :O

          i got the packages on the WAN Interface

          this cmd

          open ftp.microsoft.com
anonymous
q@q.com
quote EPSV
ls

          result

          ftp> open ftp.microsoft.com
Verbindung mit ftp.microsoft.akadns.net wurde hergestellt.
220 Microsoft FTP Service
Benutzer (ftp.microsoft.akadns.net:(none)):
331 Anonymous access allowed, send identity (e-mail name) as password.

230-Welcome to FTP.MICROSOFT.COM. Also visit http://www.microsoft.com/downloads.

230 User logged in.
ftp> quote EPSV
229 Entering Extended Passive Mode (|||8609|)
ftp> ls
500 Illegal PORT command
Verbindung beendet durch Remotehost.

          and these are all packes to dhe IP i got

          13:17:30.068963 IP 192.168.1.1.39278 > 134.170.188.232.21: tcp 0
13:17:30.233827 IP 134.170.188.232.21 > 192.168.1.1.39278: tcp 0
13:17:30.233986 IP 192.168.1.1.39278 > 134.170.188.232.21: tcp 0
13:17:30.400243 IP 134.170.188.232.21 > 192.168.1.1.39278: tcp 27
13:17:30.402370 IP 192.168.1.1.39278 > 134.170.188.232.21: tcp 16
13:17:30.567103 IP 134.170.188.232.21 > 192.168.1.1.39278: tcp 72
13:17:30.571675 IP 192.168.1.1.39278 > 134.170.188.232.21: tcp 14
13:17:30.736542 IP 134.170.188.232.21 > 192.168.1.1.39278: tcp 82
13:17:30.736582 IP 134.170.188.232.21 > 192.168.1.1.39278: tcp 21
13:17:30.736758 IP 192.168.1.1.39278 > 134.170.188.232.21: tcp 0
13:17:30.742920 IP 192.168.1.1.39278 > 134.170.188.232.21: tcp 6
13:17:30.908232 IP 134.170.188.232.21 > 192.168.1.1.39278: tcp 47
13:17:30.915895 IP 192.168.1.1.39278 > 134.170.188.232.21: tcp 25
13:17:31.080294 IP 134.170.188.232.21 > 192.168.1.1.39278: tcp 26
13:17:31.080344 IP 134.170.188.232.21 > 192.168.1.1.39278: tcp 0
13:17:31.080523 IP 192.168.1.1.39278 > 134.170.188.232.21: tcp 0
13:17:31.082404 IP 192.168.1.1.39278 > 134.170.188.232.21: tcp 0
13:17:31.246573 IP 134.170.188.232.21 > 192.168.1.1.39278: tcp 0

          The IP 192.168.1.1 was my Official Public IP - replaced

          1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator
            last edited by

            Without a HELPER, which is not included your client has to send the public IP.. That is just not going to happen in the cmd line ftp client in windows..

            500 Illegal PORT command

            That is the server telling there is problem..  If you want to use active ftp as client from behind pfsense 2.2 you have to forward to the ports your going to use and make sure your client uses its pubic IP..  Filezilla is client that has these features for windows.  It can be scripted as well.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

            1 Reply Last reply Reply Quote 0
            • A Offline
              andi_snoop
              last edited by

              Ok, two things i wounder

              in the older version pfSense 2.1 it worked!

              2.) I tried allready passive modes … and got the same problems ...

              The problem is that the script is generated from an other program, and i can't change the content ....

              And i tried it with the helper (i think you mean debug.pfftpproxy 0 )too .... the same results!

              1 Reply Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator
                last edited by

                And in 2.2 the HELP/PROXY is not there, you can not turn it on debug.pfftpproxy doesn't turn it on - its gone!!  It might be back in 2.2.1 or .2 or .7 or maybe 2.3.. Or it may just be GONE.. as stated ftp is dead time to move on people ;)

                If you want to use ftp then you have to do it old school and manually create the forwards that allow the PITA protocol ftp to work through a nat, be it active or passive…

                The helper is not required in pasv mode.. Since the server will send you port and IP to connect too.  Problem is I don't believe the windows cmd line supports pasv - even if you send the command to the server, the client doesn't use it.

                ftp> quote pasv
                227 Entering Passive Mode (134,170,188,232,241,8).
                ftp> dir
                500 Illegal PORT command

                See where I get the IP and port to connect to the server in pasv mode -- but when I do dir, the client still sends port command which with private ip is going to give you a 500 error.

                Use a client that support passive and scripting, or go back to 2.1.5 that has the helper..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                1 Reply Last reply Reply Quote 0
                • A Offline
                  andi_snoop
                  last edited by

                  Ok thank you … but i see that downgrading isn't easy because of changing config files .....

                  hmmm .. next time i will make a backup before upgrading ;)

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Online
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    I would say move to new method of ftp would be better course of action.  There are many clients that support passive and scripting, just the MS cmd line one is not one of them.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                    1 Reply Last reply Reply Quote 0
                    • C Offline
                      carlb
                      last edited by

                      I Have to say this has caused me a lot of problems

                      losing money because of this is not fun
                      am sorry to say ftp is still uses on a lot of old server and old software it not so easy to change

                      so it seem am down grading or looking at a diffrent firewall :(

                      i hope you bring this back sooner then later

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.