Ftp server
-
Hello All,
Does anyone know if the latest pfSense will support running an ftp server behind the firewall? By this I mean using NAT and forwarding port 21 to the ftp server.
I had this running, updated pfSense to 2.2.3, ftp clients could connect, but no transfer worked. I couldn't get it to work.
Finally I went back to an older version of pfSense.
So, does anyone have this working? On the latest?
-
https://doc.pfsense.org/index.php/FTP_without_a_Proxy
-
I've been running a port-forwarded FTP server since 2.1.5. Currently on 2.2.2. Server works just fine.
-
I've been running a port-forwarded FTP server since 2.1.5. Currently on 2.2.2. Server works just fine.
KOM,
And you didn't have to do anything weird? Open other port ranges? Whatever?
All you do is forward port 21 to your server behind the firewall? -
Before 2.2.2, you were using what version ?
You read and applied what was mentioned here https://forum.pfsense.org/index.php?topic=97291.msg541876#msg541876 ? -
Are the client connecting via active or passive ftp? You need to understand the difference between the 2 when running firewall behind nat and firewall. Especially if not helper/proxy to do the work for you.
It becomes more difficult when the client is also behind nat and have issues with active or passive that limits what they can do.
This is a great write up on active and passive
http://slacksite.com/other/ftp.htmlYour best option is to move to sftp which only uses 1 port and is secure vs the very antiquated on its last legs protocol that is ftp.
-
All you do is forward port 21 to your server behind the firewall?
No, it's more complicated than that. FTP uses more than just port 21/tcp. If you're running in passive mode then you need to open up a lot more ports, depending on how busy your server is. In my case, I have ports 20, 21, 30000-30100 forwarded. My FTP passive config is set to use 30000-30100.
-
What is the point of forwarding 20 kom? In no scenario would there be traffic TO 20 from outside your network to your server.
Yes your serve might talk outbound from source port of 20, but there is no scenario that 20 would need to be inbound to your server as a destination port.
-
Port 20/tcp is the ftp data port (as I'm sure you're well aware), and when I was having this same type of issue a year ago as Snoopy is having, I opened it up during my troubleshooting. I had assumed that uploads from the client to the server would require an unsolicited 20/tcp connection. Once I got it all working, I didn't go back and play with it any further and break things.
-
Lets try again: http://slacksite.com/other/ftp.html
-
Yeah as you can see from dok screenshot showing the pretty diagrams they have at link I provided 20 is only ever used as source port from the server to client in active mode.
Client hey server connect to me on port xyz.. This will be sourced from 20 on the server.. So that you could setup your firewall rules to allow your ftp server to go where it might want to go from 20.
I live this link as reference because it is such a great write up, and just amazes me how many people run and use ftp and don't really understand when and how connections are made active vs passive, etc.
It has become a very handy link for the forums here since they pulled out the helper/proxy - have to create the rules old school.. Can't just forward 21 to your server and have it work both active and passive ;)
If you don't mind me asking kom - why do you still have ftp?? It really should be killed off, with fire if you have too. Its a horrific protocol when it comes to nat and firewalling to manage. Compared to simple sftp using 1 port.
They tried to fix the security issues with ftps, but now you just put the ports in a encrypted tunnel that the firewall an not see - so helpers are useless. And so many broken clients/servers behind nat that they send their private IP for the data connection.. If it would just die it would be a good thing ;)
-
OK, it's fixed. ARE YOU HAPPY NOW GUYS??? ;D
and just amazes me how many people run and use ftp and don't really understand
it's pretty simple: the average IT person is expected to be an expert on everything these days, which is impossible. I fully admit I'm a jack of all IT trades and master of none. I know enough to (usually) get by, but I must admit that my working knowledge of the exact sequence of FTP handshakes in sorely lacking…
-
I hear you - I am a jack of all trades IT guy myself. This is mostly because I am interested in all of it :) And also previous job required you have hands in all the cookie jars to keep the enterprise up, etc.
But I like to think of myself as master of all!! While if you never ran into a issue with ftp I can see how you might have never had need to dive in. But all it should take is one problem with ftp to dive in and get the details of how it works.
From a security standpoint of bringing up a server that would be open to the public as well - I would think you want to know, etc.
No real biggy, was more just curious to why even still running it. I personally pointed it out not as a jab at you or anything - but for the next guy.. That is how fud gets to become so common, oh this great guy on tech forum said he forwarded 20 - so must be required, etc. etc.
-
I barely have 15 minutes to myself before my boss runs in with his latest whim so having time to really focus on something is hard where I am.
And no, I have no problems being corrected. If I did, I wouldn't last long in these forums. Nobody likes being wrong, but I try to keep my ego in check. Please correct me each and every time I say something dumb. I'm a big boy, I can take it, and I don't like misinformation either.
-
Guys,
Thanks for all the info. I am (at the moment) running 2.1.4.
To get the ftp server working I set up a NAT port forward, port 21 to our ftp server behind the firewall, works fine.
Yes, I'm still using regular old ftp, we have a lot of machines out there using it, connecting to us, and I don't have control over that part of things.
I'm going to do some testing to see about getting it to work on the latest pfsense. The ftp server behind our firewall is a microsoft machine which I don't know too much about, but that may have to change.
Thanks again, I'll report back.
-
Well version 2.1.4 I believe still has the ftp helper/proxy so that would be why just a forward of 21 would work.
"I'm a big boy, I can take it, and I don't like misinformation either."
And that should be everyone's in IT motto.. I feel the same way - we only get better when we learn something new, or get corrected if we take the wrong path and someone explains why its wrong path, etc..
This is part of the reason I like doks post so much - direct and to the point, no pulling of any punches. This is the fastest way to disseminate information if you ask me. I don't need or want all the flowery speech.. If I have something wrong then say so - if I suggest something stupid, then say so.. etc.. etc..
People quite often, have over inflated egos and the sensitivity of a school girl on her period, just after her bff slept with her bf ;)
case in point
https://forum.pfsense.org/index.php?topic=97145.msg541903#msg541903You would think I slapped his mother or called his gf a fat whore ;)
-
Well version 2.1.4 I believe still has the ftp helper/proxy so that would be why just a forward of 21 would work.
Yes, that's what I think too, which is why I went back to it.
But KOM says he's running 2.2.2, just port forwarding and it works. So I'm going to do a little testing on that, make sure I can get it to work.
Snoopy
-
@snoopy100
Did you got it solved and up? -
@KOM:
OK, it's fixed. ARE YOU HAPPY NOW GUYS??? ;D
and just amazes me how many people run and use ftp and don't really understand
it's pretty simple: the average IT person is expected to be an expert on everything these days, which is impossible. I fully admit I'm a jack of all IT trades and master of none. I know enough to (usually) get by, but I must admit that my working knowledge of the exact sequence of FTP handshakes in sorely lacking…
Ultimately it boils down to what the programmers decided when writing what looks like a FTP server, the one's I've written even just work on port 21 as there was no need to support more than one connection at a time, in a scheduled time slot fashion.
You dont always have to conform to industry standards if the customer requirements are different to others.
The avg IT support person can up their game by learning to program as its the programmers who ultimately write the manuals the support people follow, so having a good overview of how everything works and then coding for them can be quite illuminating.
Alpha/Beta testing can be useful for understanding the skill of other programmers, seeing the bugs and how quickly things get fixed to understand strengths/weaknesses of said programmers.