ftp client passive mode

sasa1

I made a capture, I hope it will be of help.
Thanks.

johnpoz

That is not showing any data connection, that is just control.. So you told the server to connect to your IP 10.0.0.135.. Did the package change that to your public IP on the wan side? Cuz if it didn't then there would be NO way for that server to connect to you..

Your wan sniff clearly showed a data connection from that source port 20 to your random high.. That was most likely a syn, and then 1 packet was sent back in response.. What was that packet? Pfsense would NOT send back anything unless you specifically change the default or put in a specific reject which would be HORRIBLE thing to do on a wan connection that is connected to the public internet..

Also the use of NLST vs list is going to be an issue... NLST is hey give me that list of files over our previous data connection that was opened before... if there was no open data connection that would fail no shit!

Do a simple list command once you have logged in via your cmd line..

sasa1

Hi,
I tried to run NLST but it tells me that the command is not valid.
Thanks.

johnpoz

Why would you run NLST, just do a LS it will then open a data channel.

sasa1

when i run LS i get the following message:
ftp> ls
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.
ftp>

Thanks.

johnpoz

And we have gone over this and over this! I have shown you examples of how to trouble shoot it!

sasa1

sorry but unfortunately I did not understand how to solve this problem.
how can i get the list of files?

I'm sorry but I haven't understood what the solution is.
Thanks.

johnpoz

The solution is to do a sniff and validate that your active package is changing the IP and port of your connection and that you see the data connection come in from the ftp server..

If passive works, then use something that will allow you to script with passive. Say the suggested winscp application. Or lftp or any of the other tools available that actually support passive mode. Which the built in ftp of windows does not.

Rico

Is your FTP script hardcoded somewhere or why do you still try the Windows build-in FTP Client?
Scripting FTP with WinSCP is really 5-10min and it just works.

-Rico

johnpoz

Not sure why anyone would script a connection to a speedtest ftp server in the first place - there are much easier methods to check your internet connection and speed without having to script some ftp thing..

Maybe this is just an example site he is using to present his issue?

But ftp client in windows using active mode works just fine with the ftp package in pfsense (when setup correctly) and no other issues that could prevent it from working.. But without some basic troubleshooting, you can not determine where the issue is.. A couple of simple sniffs will show you were the problem is.. Quite possible its a local firewall..

In one sniff he does show what appears to be an inbound data connection to his public IP. But then on another sniff (on the client) he shows no inbound data connection.

The response to the connection to the wan only shows 1 packet response - I am guessing that was a RST.. But pfsense would not send an RST (at least not out of the box)..

13:05:14.395146 IP 90.130.70.73.20 > 93.57.xxx.xxx.54046: tcp 0
13:05:14.395513 IP 93.57.xxx.xxx.54046 > 90.130.70.73.20: tcp 0

I have gone over how to view the details of the ftp conversations.. You can check the firewall logs, you can view the states created.

example - here are the firewall logs showing that it allowed traffic for the data connections when in active mode.

If this basic troubleshooting is above his understanding, I would suggest he hire someone, or get a netgate support contract and they can assist in finding the root cause of the problem.

Do you have this checked in your ftp proxy setup

Its possible the windows ftp client requires the source for data to come from source port 20..

It could be a just a problem with the client, it could be maybe the port is in use that the client is trying to use? Active ftp through nat is problematic at best.. If the port being used is the problem, your going to have to use a different client that always setting which port to use..

sasa1

@johnpoz unfortunately I am not the one to decide which ftp client to use.
The software developers told me that they cannot change the ftp client immediately and for this reason I am forced to use Windows ftp client.

how can I validate the package?

Thanks.

sasa1

@johnpoz
yes the ftp speedtest is only an example.

On the ftp server to which the script connects I have the following error message:

ftp> ls
200 PORT command successful.
425 Can't build data connection with host : "x.x.x.x" Error : Connection refused
ftp> quit

I also tried to enable the parameter:
Rewrite Source to Port 20
but the result does not change.
Thanks.