pfsense not blocking file extension

kkprasanth

This is my setup.

ubuntumachine1 ---pfsense vm---ubuntumachine2.

I need to FTP between two machines through pfsense.
I have exe,com and txt file created in machine1.

I need to ftp and get all three files from machine1 to machine2.
pfsense should block exe and com files.

How to do this ? Will pfsense support this ?
I tried with squid installed. It did not block.

Please Help.

Rico

What is the purpose of this?
You can just block/filter unwanted file extensions in your FTP server.

-Rico

JKnott

@kkprasanth said in pfsense not blocking file extension:

I need to ftp and get all three files from machine1 to machine2.
pfsense should block exe and com files.

That is not a function of a firewall.

kkprasanth

@Rico I am trying to use pfsense as a security equipment which in turn act as a firewall which would be capable of blocking the file extensions ?

kkprasanth

@JKnott Can it be used on the setup ?

Gertjan

@kkprasanth said in pfsense not blocking file extension:

Can it be used on the setup ?

Be aware that most traffic these days is tunnelled into a TLS connection, so the firewall, as a device in the middle of the data stream, can never "see" what's in the data packets. It sees where it goes to, and comes from, and the rate, number of connections, etc.

FTP : an ancient protocol with no security in mind. Using it is accepting also all it shortcomings.
But : if you control the client side or server side, file types to be excluded can easily be set up.
Although I would put such devices on a DMZ or other isolated network. So if things go wrong, there will be no others devices at risk.
If your FTP data and command channels are non-encrypted, then some tools can be set up so they detect the upload and download commands, as these are send over and forth using plain ASCI text commands. So I guess it can be done.

Btw : the same things go for mail filtering (joint-in files) : the mail server is the right place to throw a away what is forbidden : EXE, COM, SCR BAT etc are always on the list. Even if these files are stashed into an archive file.

JKnott

@kkprasanth said in pfsense not blocking file extension:

@JKnott Can it be used on the setup ?

In order to do that, it would have to do deep packet inspection and be able identify file types. That's well beyond what pfSense is designed to do. Also, as mentioned above, TLS is often used these days, which means the data stream is encrypted and beyond deep packet inspection.