Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense Block access external Public FTP

    Scheduled Pinned Locked Moved Firewalling
    27 Posts 2 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      Let me say this yet again - you need to understand what your doing for ftp is it active or passive.

      The ftp package is only going to help with active connection.

      If your users client will not do active and they are only running active then no its not going to work. I would suggest you pleas read through the doc I linked to it explains the difference between active and passive and which direction the data connection is made.

      Are you locking down outbound connection? In a passive connection the server will give inside the control channel the IP and port to the client should connect to. Its all gone over in the doc I linked to in very easy to understand and diagrams showing the steps in the different connection methods.

      Pfsense works just fine for both active (helper) and passive ftp connections. But if you do not provide more info then I can not help you find your problem... If the client is unable to provide log - then sniff on pfsense. ftp is in the clear - again going to state this again it is NOT secure.. The username and password are sent in the clear. So sniffing at the firewall will allow you to see all the commands sent via the control channel.. And the answers, etc.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • doguibnuD
        doguibnu
        last edited by

        @johnpoz

        thanks so much your attention
        I would like to say that this FTP it is not our FTP. Our network need to access ftp://ftp.datasus.gov.br.
        This I do not understand.
        you tell me that I need do ftp rule to access other side?
        Sorry, Im lost

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          OMG - dude... Did you read the link I provided?

          What is the server you going to doing active and passive? Or only passive? The package you added will only help in connecting to server doing active.

          If the server will not do passive, and your client can not do active - then no your not going to get it to work..

          Understand if you are using active/passive and IF you are doing any rules on your lan that limit access is how you fix your problem..

          I don't even seem then answering

          Status: Resolving address of ftp.datasus.gov.br
          Status: Connecting to 189.28.143.164:21...
          Status: Connection established, waiting for welcome message...
          Error: Connection timed out after 20 seconds of inactivity
          Error: Could not connect to server

          Are they running ftps ftpes, are they running on a different control port than 21.. There server doesn't even answer back after initial connection.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          doguibnuD 1 Reply Last reply Reply Quote 0
          • doguibnuD
            doguibnu @johnpoz
            last edited by

            @johnpoz
            Hello!

            I did the rule at Frirewall- wan-
            Source: 189.28.143.164
            Source Port range: 20

            Destination: any

            But on FTP client proxy?
            Is there some configuration?

            This option to create this rule, other forum user told me to try. He think thant can Active FTP (to set port 20)

            Not work with this rule
            Thanks you attention

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              You need to understand if the client is doing passive or active.

              Yes in active mode the server would be coming FROM source port 20, but to what dest port. And you have to make sure the client is handing out its public IP that can be forwarded. The active ftp package should do all of this for you.

              In passive mode source port 20 would never be used.

              So again - what is your client using passive, active? Look at the logs of your ftp client. If client does not show a log then sniff the ftp control channel on firewall and it will show you all the commands since its all in the clear and you can see the port or pasv command to know exactly what is attempting to happen for the data channel to be opened.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              doguibnuD 1 Reply Last reply Reply Quote 0
              • doguibnuD
                doguibnu @johnpoz
                last edited by

                @johnpoz

                To stay more clear I will connect the ftp out of this pfsense network with filezilla and see the log and post here if you can help me, ok?

                thanks

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  yes!!! If you show me the logs from filezilla client - the full detail logs then we can figure out what is going on.

                  Give me a sec and can give you example of trying to connect to passive from a client and why there can be problems. And how the active works.

                  So for example here is connection to ftp.redhat.com

                  Status: Logged in
                  Status: Retrieving directory listing...
                  Command: PWD
                  Response: 257 "/"
                  Command: TYPE I
                  Response: 200 Switching to Binary mode.
                  Command: PORT 64,53,x,x,243,86
                  Response: 550 Permission denied.
                  Command: PASV
                  Response: 227 Entering Passive Mode (209,132,183,61,206,2)
                  Command: LIST
                  Response: 150 Here comes the directory listing.
                  Response: 226 Directory send OK.

                  You can see both active connection and passive connection. I have the client give out my public so that is that 64.43.x.x and then the port would be 243x256 + 86 or port 62294

                  In the passive server says connect to it at 209.132.186.61 IP port 206x256 + 2 or 52738

                  If I don't tell my client to use its public IP you get this command.

                  Command: TYPE I
                  Response: 200 Switching to Binary mode.
                  Command: PORT 192,168,9,101,243,123
                  Response: 550 Permission denied.
                  Command: PASV
                  Response: 227 Entering Passive Mode (209,132,183,61,215,34)
                  Command: LIST
                  Response: 150 Here comes the directory listing.
                  Response: 226 Directory send OK.
                  Status: Directory listing of "/redhat/3scale" successful

                  See that port is giving my machines IP 192.168.9.101 - that would never work and the server gave me a 550, so it switched into passive mode and the client switched to passive mode so it could connect to the server on the IP and port given.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • doguibnuD
                    doguibnu
                    last edited by

                    Hello!
                    How are you

                    here is the log connecting ftp out of Pfsense network. I hope can see light to fix the rule.
                    Thank you

                    Status: Resolving address of ftp.datasus.gov.br
                    Status: Connecting to 189.28.143.164:21...
                    Status: Connection established, waiting for welcome message...
                    Response: 220 Microsoft FTP Service
                    Command: USER anonymous
                    Response: 331 Anonymous access allowed, send identity (e-mail name) as password.
                    Command: PASS **************
                    Response: 230 User logged in.
                    Command: SYST
                    Response: 215 Windows_NT
                    Command: FEAT
                    Response: 211-Extended features supported:
                    Response: LANG EN*
                    Response: UTF8
                    Response: AUTH TLS;TLS-C;SSL;TLS-P;
                    Response: PBSZ
                    Response: PROT C;P;
                    Response: CCC
                    Response: HOST
                    Response: SIZE
                    Response: MDTM
                    Response: REST STREAM
                    Response: 211 END
                    Command: OPTS UTF8 ON
                    Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
                    Status: Connected
                    Status: Retrieving directory listing...
                    Command: PWD
                    Response: 257 "/" is current directory.
                    Command: TYPE I
                    Response: 200 Type set to I.
                    Command: PASV
                    Response: 227 Entering Passive Mode (189,28,143,164,21,249).
                    Command: LIST
                    Response: 150 Opening BINARY mode data connection.
                    Response: 226 Transfer complete.
                    Status: Directory listing successful

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      @doguibnu said in Pfsense Block access external Public FTP:

                      Command: PASV
                      Response: 227 Entering Passive Mode (189,28,143,164,21,249).
                      Command: LIST
                      Response: 150 Opening BINARY mode data connection.
                      Response: 226 Transfer complete.
                      Status: Directory listing successful

                      your connecting passive all is working fine there

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • doguibnuD
                        doguibnu
                        last edited by

                        Right,
                        This log is from out Pfsense network
                        How to configure the rule on PFsense to work inside pfsense?
                        I did try many times some rules configuration to pass this ftp
                        I do not know how to fix!

                        Thanks

                        1 Reply Last reply Reply Quote 0
                        • doguibnuD
                          doguibnu
                          last edited by

                          SOLVED

                          Steps:
                          Install FTP client proxy package
                          Go to Service - FTP client proxy
                          Click to Select Enable the FTP proxy
                          On Local Interface - Select Lan
                          Click Save

                          Go to Firewall-Rules-Wan
                          New Rule
                          Action: Pass
                          Interface: Wan
                          Protocol: TCP

                          Source: Single host or alias
                          IP: IP ftp service
                          Source Port Range
                          From: 21
                          To: 249 (on my scenario)

                          Destination: any
                          Destination Port Range
                          From: 21
                          to: 249

                          Click on Save

                          Why port 249?

                          The log from filezilla on out Pfsense network show:
                          Response: 227 Entering Passive Mode (IP ftp service**,21,249**).

                          Now its works fine

                          Thanks Johnpoz and all for attention and help

                          Douglas

                          1 Reply Last reply Reply Quote 1
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            No No No...

                            None of that has anything to do with any of it..

                            Talking to a public IP outside pfsense from a client inside pfsense using passive has ZERO need for any port forward or wan rule. While port 21 is the default control port of ftp. how you read passive command is WRONG..

                            Again I am going to ask have you even bothered to look at the link I provided on how ftp works..

                            Again your statement is completely wrong with how ftp works..

                            This statement
                            Passive Mode (189,28,143,164,21,249).

                            Is telling the client to talk to IP 189.28.143.164 on port (21x256)+249 = port 5625

                            For a client to talk a ftp server outside pfsense from inside pfsense there is ZERO to do.. Since the client will create the connection to the server and the default rules on lan are any any.. Unless you have modified your lan rules from any any there is nothing to do to talk passive to a ftp server on the public internet from behind pfsense

                            For client to talk to server in active mode, then you need the ftp proxy package installed an setup. So that it can open the inbound traffic for the data channel to be opened.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • doguibnuD
                              doguibnu
                              last edited by

                              @johnpoz said in Pfsense Block access external Public FTP:

                              No No No…
                              None of that has anything to do with any of it…
                              Talking to a public IP outside pfsense from a client inside pfsense using passive has ZERO need for any port forward or wan rule. While port 21 is the default control port of ftp. how you read passive command is WRONG…
                              Again I am going to ask have you even bothered to look at the link I provided on how ftp works…
                              Again your statement is completely wrong with how ftp works…
                              This statement
                              Passive Mode (189,28,143,164,21,249).
                              Is telling the client to talk to IP 189.28.143.164 on port (21x256)+249 = port 5625
                              For a client to talk a ftp server outside pfsense from inside pfsense there is ZERO to do… Since the client will create the connection to the server and the default rules on lan are any any… Unless you have modified your lan rules from any any there is nothing to do to talk passive to a ftp server on the public internet from behind pfsense
                              For client to talk to server in active mode, then you need the ftp proxy package installed an setup. So that it can open the inbound traffic for the data channel to be opened.

                              I am sorry!
                              I do not what to do more.
                              Which your suggestion to configure in right mode?

                              Yes I did read your link about the differences active and passive ftp.
                              I will again and again

                              But, inside PFsense, how to configure?

                              I will search more information about

                              Thanks you

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                there is NOTHING to configure in pfsense for client talking passive.. Nothing unless you modified the default rules to block ports? What are your current lan rules?

                                Only if your using active to talk to the server do you need the active ftp package helper.. From your log you were using passive and working..

                                Please post log of your client that is NOT working when behind pfsense and your LAN rules..

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 1
                                • doguibnuD
                                  doguibnu
                                  last edited by

                                  Hello!
                                  Please, look at this link. He seems was the same difficult that me.

                                  https://www.experts-exchange.com/questions/28546035/Trouble-accessing-FTP-sites-via-pfSense.html

                                  I think that I need to do a Lan Rule to pass on ports 20 and 21, right?

                                  Other point:
                                  On my filezilla log inside PFsense network also show me Grey color text (not green) after the wrong wan rule that you show me.
                                  Can be the way

                                  Thanks

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by johnpoz

                                    OMG... Dude did you edit the default lan rules away from any any?? If so then yeah your going to have problems. And your going to need more than just 21.. 20 would NEVER be used its a source port in active mode.

                                    But the server in passive is going to give you some random high port to talk to... So post up a screen shot of your LAN rules!!!

                                    I can not help you without some information.. How many times do I have to ask to see your logs? If your LAN rules are not any any then yes you need to show them.. I stated 3 days ago that if you had messed with your lan rules doing any blocking you could have problems with passive. If you would of read the link I gave you goes over what happens in the data channel... So if you are limiting lan to specific ports via rules other than any any then YES you going to have a bad day trying to ftp in passive mode.

                                    That thread is from 2014... Yeah I will admit users have problems with ftp... Ftp should of been killed off 10 years ago.. It is NOT secure, it sucks through NAT, do I need to go on.. sftp is secure, its 1 port so no issues through nat. There are both free clients and servers for every OS.. There is ZERO reason to be still using ftp other than complete lack of caring on the point of the person running the server for security...

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • doguibnuD
                                      doguibnu
                                      last edited by

                                      Hello
                                      Here is my Lan Rules

                                      0_1528296053152_lan-rules-pfsense.png

                                      Yes, you right about sftp. I did read about it. But, I need to study how to server config and pfsense config. Then, enable sftp on our network.
                                      But, remember, the Datasus FTP is external service that works with web service database. It is not our ftp server. Then, sad, but I need to do that works fine.

                                      I would like to thanks your patience and help until now.

                                      Douglas

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by johnpoz

                                        so you have downstream networks? Why do you have that 10/8 rule? And your icmp rule is any for source network would be pointless unless you have downstream networks.

                                        And really is pointless anyway since you have 10/8 rule - unless you have other networks other than 10/8?

                                        So if your client is on lan net or in 10/8 your rules are any any and should have no issues doing passive ftp to server outside.

                                        Did you mess with outbound nat? Your using lan net as your transit to these downstream networks? Maybe you have a asymmetrical routing problem... Please draw up your network and where are you clients in your network that your trying to ftp with. Do they use pfsense as their gateway?

                                        Your not routing any traffic through a vpn are you?

                                        Do you have any rules in your floating tab?

                                        BTW your scanner rule is pointless unless some downstream client is not in lan net or 10/8

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        doguibnuD 1 Reply Last reply Reply Quote 0
                                        • doguibnuD
                                          doguibnu @johnpoz
                                          last edited by

                                          @johnpoz said in Pfsense Block access external Public FTP:

                                          hello

                                          so you have downstream networks? Why do you have that 10/8 rule? And your icmp rule is any for source network would be pointless unless you have downstream networks.

                                          We have 43 networks point route inside pfsense:
                                          For exemple:
                                          10.10.11.254
                                          10.10.34.254
                                          10.10.29.254
                                          10.10.30.254
                                          .......
                                          the internet is provide by:
                                          concentrator Internet MPLS
                                          Dedicated Internet

                                          And really is pointless anyway since you have 10/8 rule - unless you have other networks other than 10/8?

                                          So if your client is on lan net or in 10/8 your rules are any any and should have no issues doing passive ftp to server outside.

                                          Did you mess with outbound nat? Your using lan net as your transit to these downstream networks?

                                          Yes, we are using lan net to transit on these downstream

                                          Maybe you have a asymmetrical routing problem... Please draw up your network and where are you clients in your network that your trying to ftp with. Do they use pfsense as their gateway?

                                          Yes, they are using pfsense for gateway. Each sector have modem (or circuit point) route to pfsense

                                          Your not routing any traffic through a vpn are you?

                                          We have some users access vpn through our pfsense because we have a NAS.

                                          Do you have any rules in your floating tab?
                                          No, there are not rule floating tab.

                                          BTW your scanner rule is pointless unless some downstream client is not in lan net or 10/8

                                          Thanks for now

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            @doguibnu said in Pfsense Block access external Public FTP:

                                            Yes, they are using pfsense for gateway. Each sector have modem (or circuit point) route to pfsense

                                            So there are client in lan net.. Do you have host routing on them, if not then your asymmetrical if they are talking to any downstream network.

                                            So if client in lan wants to talk to 10.x network he sends traffic to his gateway pfsense in the lan net. Pfsense then sends the traffic to some downstream router, the return traffic will not go to pfsense.

                                            Please DRAW your network, and what what is your outbound nat rules. Is lan net also a 10.x address?

                                            And again please post a LOG of filezilla client behind pfsense failing to connect... So we can see what gets sent in the passive command.

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            doguibnuD 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.