FTP proxy and pfsense 2.2
-
After upgrading to 2.2 the ftp passive is not working anymore in order to enable it again I need to create a pass rule for the high passive ports 30000-50000. I think this is a big security risk. Can somebody tell me what to to the have the previous behaviour where only port 21 and 20 where open.
debug.pfftpproxy is set to defalut (0)Thanks
-
There's no proxy. End of story. (Why you need 20K passive ports in the first place goes beyond me.)
-
Yep, you could simply allow only a couple of 10s of ports, depending on your usage.
-
https://doc.pfsense.org/index.php/FTP_without_a_Proxy
-
Hello, i got the same problem here, clients cannot connect to none of passive or active ftp server.
So what rules do i need to set in my firewall ?
I tried to add WAN => LAN pass rules between TCP 42000 and 42010 and configuring filezilla client according to this but still does open data connection.
Thanks.
-
It wouldn't be the filezilla client you configure with those, it would be the server.. You also need the server to send its actual public IP not its private.
If you want to run ftp server behind pfsense that supports passive connections.
Set it to send your actual public IP. Use range x-y for passive ports. Forward 21 on pfsense to your ftp server private IP, forward port x-y to your ftp server private IP = done.
-
Thanks for your reply,
But, i don't own every ftp server and i can't configure thoses.
So it is impossible to make ftp client working on a network behind pfsense 2.2 ?
-
There is a big difference if your ftp server or client is behind pfsense.
In a passive connection from client behind pfsense. You really don't need to do anything but allow outbound connectivity since the ftp server sends the IP and port to connection. Only in an active connection does the server create a connection to the client from source port 20
I would suggest understanding the ins and outs of how ftp works - this is great reference. http://slacksite.com/other/ftp.html
So unless your limiting outbound connectivity of your clients there is nothing to do for outbound to server via passive.
-
Thanks, but like i said, this isn't MY, so why talking about ftp server configuration ?
FTP is still a lot used, and when i see "don't use FTP", it make me smile a lot since we doesn't choose it, it's totaly out of the real word !
So finaly, pending a new ftp proxy comming out, i just add a rule for LAN which pass used TCP port to all my ip ftp server.
Thanks for your time.
-
What??? "i just add a rule for LAN which pass used TCP port to all my ip ftp server."
If someone wants to run a ftp server behind your firewall - then get with them and tell them the settings they have to do.. Just because you don't admin the firewall does not mean you need a helper/proxy??
-
Hello,
You continue to talk about server configuration, so apparently you doesn't understand or read :
FTP server aren't on my LAN but outside and on internet like ftp.free.fr, and i don't own it.
" Just because you don't admin the firewall " ???
I'm the admin of the firewall on my LAN, so I added a rule to let my users who are in my LAN access to public FTP server on internet.
So with the outbound rule no proxy is needed but i must create all the rule specificaly for each server.
-
I Understand very well, you just don't state details that were asked multiple times.
example:
"I tried to add WAN => LAN pass rules between TCP 42000 and 42010"So this could be for a passive server behind pfsense, or did you set your client to use specific ports in the active connection? Without some actual details it could go either way.
Thank you from this
"FTP server aren't on my LAN but outside and on internet like ftp.free.fr, and i don't own it."You don't need any special firewall rules on passive, unless you have outbound ports locked down. Since the client connects to some port the server gave. In an active connection yes the server would connect back to the client from source 20.
Why do you need to create each rule, do you have all your outbound ports locked down? Are they using active?
As stated help/proxy is gone.. You have to do it old school like your doing now. Its not that difficult.
-
I can't speak for the OP, but maybe it is something like this:
We have run into a situation on numerous occasions where the remote server is either misconfigured (gives its private IP rather than its public IP), or it is behind a firewall not configured correctly for a passive FTP server. Thus the configuration on the remote end is not set up properly for passive FTP.
This makes it such that clients on our local network (behind pfsense) cannot connect using passive mode. The active (port) mode helper would allow local uses to instead use active (port) mode and connect to FTP servers in these cases.
Now that the helper is gone this is not an option, and users of pfsense are stuck trying to find some other workaround.
All too often the server "admin" on the opposite end has no clue how to set up the server/firewall properly for FTP. It is however the users on the pfsense end that get left in the cold. We can give certain machines 1:1 NAT and then allow specific ports for active FTP if the FTP client supports this (like FileZilla). This works, but is more difficult to set up, and requires a public IP (not an issue here, but I know lots of business with only 1 or 2 public ips due to the shortage).
-
And now… https://forum.pfsense.org/index.php?topic=89841.0
-
Very cool. Thanks!
-
Maybe you can help me.
I use Pfsense 2.2.2 with 2xWAN, Loadbalancing, Failover.
Since the Update to 2.2.2 i can not connect with Filezilla to FTP Server in the Inter for an example to my Webhosting. The Connections is very slow and sometimes the connections is broken.
I have read the Problem is the Loadbalancing.
How i can i fix it ?
Thank you
-
See https://forum.pfsense.org/index.php?topic=89841.msg497482#msg497482
-
if i install the FTP Client Proxy Package. It is the Solution for my Problem with Loadbalancing with FTP?
-
Read through the portion of the thread starting with the post I linked in the previous message, it specifically mentions the problem with load balancing.
-
you write that is not working with Loadbalancing ?
