Client side FTP Passive Mode after Upgrade to 2.2
-
you can use it as long as where your connecting allows active.. Problem is with that ftp.exe I don't think you can send public IP, if your client is on private
So in an active connection the ftp server makes the connection to the IP and port you give it with port command.. So say its ftp.pfsense.com and your on your box behind pfsense.
In an active connection you box is on 192.168.1.100 for example.. You would send hey connect to me on 192.168.1.100 port 5001 well clearly that would not work because 192.168.1.100 is private and ftp.pfsense sure not going to be able to talk to that IP. But with a helper pfsense wuould of change it to what pfsense wan public IP was and said oh need to forward port 5001 to 192.168.1.100
And that is how it worked.
In passive the server sends you the IP to connect too. So normally clients behind pfsense don't have any issues if outbound is not locked down. But if the passive server is behind pfsense you need to tell the server to use your public when sends the pasv command and manually forward the ports the server is going to use say 5000 to 6000.
Problem is the ftp.exe from windows only does ACTIVE connections..
Where is the ftp server and where is the client?? This is a great write up on how ftp works for active and passive. This should be basic understanding for anyone using ftp even as a user if you ask me. If you admin a firewall were firewall be used in or out of then, then yeah understanding this is mandatory.. http://slacksite.com/other/ftp.html
-
And now… https://forum.pfsense.org/index.php?topic=89841.0
-
I'm a little confused about the ftp proxy. Was this something that was on and working by default in 2.1.x? Because I never configured any such proxy on the pfsense router or any settings in the ftp clients on the lan.
But, now that I've upgraded to 2.2.2, outbound FTP file transfer is broken.
Since I have outbound ports locked down, I'm not sure how to handle this problem. If the ftp proxy was necessary to get ftp clients working, even if insecure, why would it be stripped out? Why not just make it an option? Worried about security, well now I may have to allow everything outbound just so FTP will work. So much for blocking torrents and stuff….
-
The proxy was built in in 2.1.x
It is now a package on 2.2.x If you need it, install the package.
Not sure what the drama is about. -
The proxy was built in in 2.1.x
It is now a package on 2.2.x If you need it, install the package.
Not sure what the drama is about.Thanks, didn't realize this. I just installed it. Does it require any configuration or is it seemless like before when it was built in? The service won't start for me…does this install require a reboot or is there something I can run cmd line to get the daemon to start?
-
How about you go to Services - FTP Client Proxy and configure the thing? Sigh…
-
I configured the proxy the other day. It works for some devices, but other devices have a problem with it and I have to set them statically and bypass the proxy. The built-in proxy in the previous version of pfsense worked seemlessly.
-
"It works for some devices, but other devices have a problem with it"
Like what?? ftp is ftp is ftp is ftp.. Its either active or passive.. How exactly would proxy that opens up the ports for an active connection not work with any client sending the ftp commands?
-
"It works for some devices, but other devices have a problem with it"
Like what?? ftp is ftp is ftp is ftp.. Its either active or passive.. How exactly would proxy that opens up the ports for an active connection not work with any client sending the ftp commands?
I don't really have the details available to me about what ftp client is even being used. I think these are retail bar code scanner guns that when docked ftp some file to a remote location. Some of the devices we've had to set DHCP reservations for and put in a list of IPs to bypass the ftp proxy. Others only work if the ftp-proxy is on.
The pfsense logs show repetitive lines like this:
ftp-proxy[20575]: #57 client command too long or not clean.I have them functional, but before when the ftp proxy was built-in, I never had to mess with any of this. So obviously the package is not the same in some way.
-
So its not sending valid ftp commands then?
Why don't you sniff and lets see the command its sending. This way the package could be fixed to address clients sending extra info and such in their commands.
