FTP Client Proxy Package
-
Jimp,
PLease could you tell me how to add the ftp-proxy package to pfsense.Thank you so much
-
It's a package, so it installs like any other package from System > Packages.
-
Hello,
in the field "Proxy Bypass: Source "I can "Enter an IP address or alias for source client host(s) which should bypass the proxy.", to exclude Clients from the proxy, right?
I have to use a vice versa scenario. That means, only certain computers or users are allowed, to use ftp, all others (more than 600) are not allowed. Since the user defined rules seem to be behind the ftp-proxy rules (which are dynamic?), it's not possible to set the needed ftp-restrictions in the user defined rules.
How can I solve this problem?
Best regards Werner
-
If the other users should not be able to reach FTP servers, make sure "Early firewall rule" is unchecked in the FTP Proxy options and then put in a block rule to prevent them from reaching FTP at all.
pass tcp from <people allowed="" to="" reach="" ftp="">to any port 21
block tcp from any to any port 21If they should be allowed to reach other FTP servers just not using the proxy, there is not currently a way to accommodate that in the package at this time.</people>
-
I installed this into PFSense because we just made the switch over from an Apple router to a Soekris box with PFSense installed. FTP wasn't not working at all, I tried making multiple firewall rules and installing this package has completely fixed any issue we had with FTP. Thanks for the product!
-
I'm probably making some simple mistake, but ftp client proxy package isn't working for me. My pfsense firewall has a static IPv4 WAN address. The LAN address is a typical RFC1918 address. The squid package is working fine with the clients explicitly specifying the proxy in their browser configuration. I'm not using transparent proxy because this pfsense firewall isn't my default route. pfSense version 2.3.1-RELEASE-p1. I've tried with filezilla and a couple other ftp clients, but haven't found a working combination of settings yet. I'm configuring the ftp client to connect to the LAN address of pfsense on port 21, with Passive mode, using the USER@HOST type of proxy. I've also tried Active mode, and port 8021 and many other variations. Usually my ftp client software shows that it's connected to the LAN address of pfSense, and then just times out waiting for the Welcome message.
What mistake am I making?
-
The FTP client does not connect to pfSense on port 21. It connects to the actual FTP server directly and the proxy intercepts.
Though if you have a proxy like squid explicitly configured in the client, it may be using that for FTP, depending on your proxy settings.
-
Thanks for the quick reply. Our previous ftp proxy required us to configure the ftp client software to talk to the proxy, which would then pass the communications out to the ftp server and return the responses to the ftp client.
If I'm understanding your answer, the FTP Client Proxy Package for pfSense only works in transparent mode, intercepting ftp communications and facilitating them in some way. I'm afraid that we can't restructure our entire network to make all traffic flow through this single firewall, so this isn't a solution for me.
Thanks anyway.
-
Thanks for this package.
We are in a multi-wan configuration, with a special failover configuration. Some specific outbound connections use WAN1 as gateway and the rest use WAN2.
In our case, instead of 'Proxy Bypass' addresses, we would need it the other way round: use it for specific outbound connections (all using WAN1), and bypass the rest.
As it is now, when we activate this package, all problematic connections going through WAN1 work (great!), but then all FTP connections using WAN2 stop working… we cannot set all FTP through WAN1.Is there any way to get this?
Thanks a lot for your help.
Regards from Barcelona,
Jordi. -
No, there is no way to accommodate policy routing or use any WAN but the default gateway, the ftp-proxy daemon is not capable of it.
-
No, there is no way to accommodate policy routing or use any WAN but the default gateway, the ftp-proxy daemon is not capable of it.
Thanks for your fast response. I get it.
Anyway, In our case an option just the opposite to 'Proxy Bypass: Destination' (something like 'Proxy Use: Destination' - and bypass every other IPs) would do it. I drop it just in case you are looking for new features to add in the next release ;)
Thanks again.
Regards from Barcelona,
Jordi.
-
Hi,
I have a problem with the FTP Proxy package on pfSense 2.2.2.
I opened a thread about this problem: https://forum.pfsense.org/index.php?topic=113899.0
Thanks! -
Thanks jimp for this Package!
i had trouble with an external ftp connection.
installed your package and it worked right out-of-the-box!thanks a lot.
-
Hi
Is this package compatible with 2.3.1-RELEASE-p5?
Best regards
Steve
-
Yes, it is. If found in package list, then it's compatible. :)
-
Make an alias and put the alias name there.
Thanks in advance. :) :)
I try. I made an alias with two Ip and put the name in "Proxy Bypass: Destination", restart service, but it doesn't works.
EDIT: alias works if declare IPs like a "/32" network, but not like single host. :)
Did not worked for me but a workaroud is to create a NAT rule per destination on port 21 and tick the "No RDR (NOT)" option to bypass the proxy.
-
Hi All,
I am facing an issue where I cannot get my clients(on WAN side) to connect to FTP server (On LAN side). I have installed the ftp-proxy and also included the conntrack and passive rules to the ftp server. Whenever I try to connect via Filezilla it disconnects right after the PASV command.
Below is the network:
3750 Switch (WAN) >>>>>(WAN)Pfsense(LAN)>>>>>FTP Server.
When I run a copy ftp command it times out. I can telnet to port 21 and without pfsense it works just fine.
Windows cmd ftp works fine and filexilla work fine for active mode. However for passive I just cant seem to connect.
Appreciate your help.
Thanks.
-
This proxy is not intended for that scenario, it is for clients on LAN connecting to remote FTP servers. Please start a new thread for that question.
