Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange FTP disconnecting problem

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 1.4k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      Harlock_99
      last edited by

      Hi all,

      We met a strange disconnecting session problem to a FTP server.

      From OVH (CLOUD) internal network (behind PfSense), we test from the Windows servers (Windows 2008 or 2012), we use the Microsoft FTP.exe (from command prompt) to connect to a FTP server on internet (from another comapny).

      From MS FTP, we can connect to the FTP server , but when we try to list the directory or use any FTP command we got logout.
      0_1529487482583_ftp disconnected.png

      If we use FileZilla client or a browser instead the Microsoft FTP from Windows, there is no problem to connect and list the directories.

      Although it is a passive FTP , so the client side should not need add any rules, I tested to add rules on WAN and LAN with their FTP server IP address using port 21, port 20-21, the passive port they supplier to us, and also ANY but with or without the rules it is still same thing, we connect from MS FTP, but cannot list..

      If we try from our internal network (on our site, not OVH cloud) behing Sonicwall firewall, we don't get any problem using MS FTP, we can connect and list directories.

      The IT guy who manage the company where is located this FTP server asked us to allow a passive port range on the PfSense . But I don't think it should help. I suspect from other side they may did not allowed something, am I right?

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        ftp from windows only supports active connections. So you would need the ftp package and setup in pfsense for that to work. You can use the pasv command all you want, ftp.exe in windows only does ACTIVE...

        In an active connection the server makes the data channel connection back to the client. So would need firewall rules opened up to allow that data channel to talk to the client.

        Why are you still using ftp? Why would you not be using sftp which is secure and only uses 1 port, normally 22.. Just at a loss to why ftp will not die? It should of died off 10 years ago.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • H Offline
          Harlock_99
          last edited by

          Thanks johnpoz for your so fast reply.

          We use FTP because the external companies we workign with, still uses FTP servers

          MS FTP was just for test the connexion, it must be a Java program which will be used in prod, it could use SFTP also. As it is external companies which using FTP, I will request if they can change to SFTP.

          In waiting, I have installed the Proxy client (setting up on LAN) following this post : https://forum.netgate.com/topic/124555/how-to-set-up-ftp-client-behind-pfsense-active-mode/3

          I just tested and works now.

          About rules the FTP proxy, I don't understand very well where to allow only specific IP to use FTP port when the proxy is Enable, as the firewall blocked rules are by passed.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Firewall rules are not bypassed with the ftp proxy/helper package. It just opens the return data connection when the using active for the data channel.

            If you do not want client to be able to ftp then you should just block them from making the control channel connection in the first place on the lan rules. You goingi to want to uncheck the early check box in the ftp proxy settings.

            I understand that the ftp server is not in your control. But I would really push them to move to more secure method of file transfer.. Tell them you only allow sftp and not ftp outbound from your network.

            sftp server and clients are available for every OS with FREE options so really there is no excuse to not allow for sftp other than just not wanting to change their old ways.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.