Beginner with PfSense - Port 21 - FTP

mauric · Oct 11, 2017, 1:48 PM

Hello Dear Members

i try to add to me FW rules the possibilities to connecting FTP sites, but i dont see me mistake. I try now more then one possibilities but without Success.

-LAN-
ipv4 tcp - LAN Net - * - * - 20,21 * None - Allow FTP Traffic requests

i Need to connect for example to following links, and a lot of more from this one's

ftp://repos-jnb.psychz.net/
ftp://centos.mirror.cdnetworks.com/centos/
ftp://ftp.kaist.ac.kr/CentOS/
ftp://ftp.netbsd.org

Or exist here any possibilities so see on with port this link will by connect?

thanks for any help
Regards
Mauri

–
2.3.4-RELEASE-p1 (amd64) - PC Engines APU2 - 18 Hours 20 Minutes 23 Seconds

mauric · Oct 11, 2017, 3:55 PM

i see in the meantime meny People asked this question, so i have try to add NAT Port forrwarding, but me Trouble are that i Need to define "Redirect target ip" ???

but i Need this dynamic! every internal LAN machine need to connect to WAN public FTP Servers.

Please for any Help
Regards
Mauri

johnpoz · Oct 11, 2017, 7:15 PM

"every internal LAN machine need to connect to WAN public FTP Servers."

This works out of the box with passive.. Unless you are blocking ports outbound.. Your rule to allow 20 is pointless since clients would never connect to port 20 of some server on the public internet. Port 20 in ftp is only ever used as source port in an active connection. Where the server will connect to the port the client sends from port 20.

If your going to block outbound ports and only allow standard ports out like 21.. Then you would need to do active connections and install the ftp package. This allow for the firewall to open up the data port connection from the server into the client.

So I see it you have few options. Allow all ports outbound, use passive.. Since client will be allow to talk outbound to the server on whatever data port the server sends.

If your going to limit outbound ports your only option is to use active with the ftp package.

You do know atleast some of those are available via http

http://ftp.netbsd.org/
http://ftp.kaist.ac.kr/CentOS/

Are you just wanting to download from them? One was not using http, the my work proxy blocked it as possible hacking site ;)

Trying to troubleshoot and allow for ftp through nat requires understanding of active vs passive. What the server supports and what the client is trying to do.

Here is great write up on the difference between active and passive and which direction the data connection is made.
http://slacksite.com/other/ftp.html

Did you read https://doc.pfsense.org/index.php/FTP_without_a_Proxy