Strange FTP disconnecting problem
-
Hi all,
We met a strange disconnecting session problem to a FTP server.
From OVH (CLOUD) internal network (behind PfSense), we test from the Windows servers (Windows 2008 or 2012), we use the Microsoft FTP.exe (from command prompt) to connect to a FTP server on internet (from another comapny).
From MS FTP, we can connect to the FTP server , but when we try to list the directory or use any FTP command we got logout.
If we use FileZilla client or a browser instead the Microsoft FTP from Windows, there is no problem to connect and list the directories.
Although it is a passive FTP , so the client side should not need add any rules, I tested to add rules on WAN and LAN with their FTP server IP address using port 21, port 20-21, the passive port they supplier to us, and also ANY but with or without the rules it is still same thing, we connect from MS FTP, but cannot list..
If we try from our internal network (on our site, not OVH cloud) behing Sonicwall firewall, we don't get any problem using MS FTP, we can connect and list directories.
The IT guy who manage the company where is located this FTP server asked us to allow a passive port range on the PfSense . But I don't think it should help. I suspect from other side they may did not allowed something, am I right?
-
ftp from windows only supports active connections. So you would need the ftp package and setup in pfsense for that to work. You can use the pasv command all you want, ftp.exe in windows only does ACTIVE...
In an active connection the server makes the data channel connection back to the client. So would need firewall rules opened up to allow that data channel to talk to the client.
Why are you still using ftp? Why would you not be using sftp which is secure and only uses 1 port, normally 22.. Just at a loss to why ftp will not die? It should of died off 10 years ago.
-
Thanks johnpoz for your so fast reply.
We use FTP because the external companies we workign with, still uses FTP servers
MS FTP was just for test the connexion, it must be a Java program which will be used in prod, it could use SFTP also. As it is external companies which using FTP, I will request if they can change to SFTP.
In waiting, I have installed the Proxy client (setting up on LAN) following this post : https://forum.netgate.com/topic/124555/how-to-set-up-ftp-client-behind-pfsense-active-mode/3
I just tested and works now.
About rules the FTP proxy, I don't understand very well where to allow only specific IP to use FTP port when the proxy is Enable, as the firewall blocked rules are by passed.
-
Firewall rules are not bypassed with the ftp proxy/helper package. It just opens the return data connection when the using active for the data channel.
If you do not want client to be able to ftp then you should just block them from making the control channel connection in the first place on the lan rules. You goingi to want to uncheck the early check box in the ftp proxy settings.
I understand that the ftp server is not in your control. But I would really push them to move to more secure method of file transfer.. Tell them you only allow sftp and not ftp outbound from your network.
sftp server and clients are available for every OS with FREE options so really there is no excuse to not allow for sftp other than just not wanting to change their old ways.
