• Hi everyone,

    I know there are a lot of tutorial about this and this subject was discussed before a milion times…i was really trying to read and understand this:/

    I have pfsense implemented as transparent firewall beetwen my lan and my router. i am operating on floating rules. I have great problem with ftp connections from my lan users to external ftp like ftp.example.com.

    • on my floating rules i have created rules for ports 20 and 21 (both directions) and a rule that lets all ports OUT from lan (i dont want this rule to be enabled) and still nothing - "server can't open data connection" message from web browser:(

    • when i create rull to pass all to all ftp connects normaly so...

    i used pocket capture and i see that ports beeing used to connect are 21 and ports from 20000 to 60000 - i dont want to open them all;/

    i know that probably i do not understand topic very well and i am doing something wrong but users are getting angry because i try to figure this out for a week:(

    please help

  • LAYER 8 Global Moderator

    Ftp has 2 modes, active and passive.

    In active mode the ftp server out on the internet would connect to your clients high port it tells it to use from source port 20 for the data channel..  So since your in bridge mode and not doing any nat just create a rule that allows traffic from source port 20 to your clients.

    In passive mode the client connects to server for the data channel to whatever the port (high port) the server says to connect too from some high port.

    This is great easy to understand write up on ftp.. Read it, Learn it, Live it ;)  And then kill ftp with fire - who still uses ftp? ;)  Hope its atleast ftp over ssl?


  • hahahaha:) thanks for you answer:) believe me…in some countries basic ftp is still normal..:(

    ok, the thing is that both 20 and 21 ports are opened in both directions (IN/OUT) and it still cant connect:( Myself i have configured a SFTP server and it is working fine from outside - only port 22 forwarded on router and opened in pfsense) but somehow i can't create rules to enable connectivity from lan to internet, passive or active:( i think that i will have to temporary create rule for one host and give him full access)


    i know that this is my lack of knowledge but i simply have no more time to learn it now.

    Thank you once again

  • LAYER 8 Global Moderator

    20 is NOT an inbound port… Did you even glance over the link I provided..  20 is NEVER an inbound port in ftp.. It is a SOURCE port..  If you are talking to the server via active.

    20 is never going to be in to you, and never really out either since the state would already have been created by the 20 coming inbound as source to whatever destination port your client told the serve to connect too.  So for active to work to server out on the internet with a transparent firewall and no nat..

    You would have to allow 21 outbound to talk to the control on the ftp server.  Then you would have to allow ANY dest port with SOURCE port of 20..  There you go working active ftp server out on the internet.  For passive to work  You just have to allow any outbound since you never know what ports the ftp server would use in passive mode it tells your client to connect too.

    Is there nat anywhere in your connection.  In front of pfsense or are all your clients on public IPs?

    21 again is never going to be inbound to you unless your running server..  I highly highly suggest you take a look at how ftp works!!!  See the link I provided you can not expect to setup firewall rules for ftp if you do not even understand how it works and the difference between active and passive..

    Why not just have your clients use passive to the server?  Then the only rule you need is allow outbound any, you could lock it down by creating only any rules to the specific IPs of the ftp servers they want to talk to..  Never seen a ftp server on the internet that doesn't support passive that is meant for public to talk too.  What ftp client are you users using.. if like ftp from cmd line on windows then your out of luck because it doesn't support passive only active.  Filezilla is a FREE ftp client that users can easy set to use active or passive to the server, etc.

    If there is NAT somewhere between the internet and your clients??  After pfsense?  Then that nat will need to provide helper/proxy services for ftp.  Since if your client is on a private IP and doing an active connection it would tell the server to connect to its rfc1918 address that would never work ;)  Something has to change that for the client, or the client needs to be smart enough to give out its public IP if behind a nat.  This is not need in passive connections.. You just need to allow outbound since client creates both outbound connections.. 1 to 21, and then 2nd data to the port the server tells the client to use.

    Key to getting ftp to work through firewall/nat is understanding how it works both active and passive.. Then its simple enough to write the correct rules.

  • ok, i've read this and other tutorials and exactly this is what i've done. I have passed all ports outband and… no way to connect:( i have nat between internet and clients. I run my own ftp server but it operates on ssh (sftp) and it works great. When i create rule for one host from lan to have full in/out access it can connect easily:/ So it means that INBOUND traffic is blocked somewhere:( i know that inbound has almost nothing to do with this...but this is how it looks:/

  • LAYER 8 Global Moderator

    well what is doing your nat??  Pfsense?  Or something in front - you said pfsense was transparent that tells me its not the one doing nat, or it wouldn't be transparent ;)

    So you run a sftp server ;)  Its not a ftp server using sftp heheheh

    What is doing your nat, if you client is sending out its private IP then no you will never be able to have server on the public net active connect to you.. It can not get to your public IP even if the port your client told it to use was open.

    If pfsense is the edge and doing nat, there is a active ftp package that puts part of the helper back.  So clients trying to talk active ftp pfsense will open up the firewall rules and change the IP they send to the server..

    Why don't you just sniff the traffic and see exactly what is going on, what is happening when client says hey connect to me on IP:PORT..  Or again just have your clients use passive.. Then all traffic is outbound both the control and the data channel.

    here just did a test showing you why active fails without help or client sending correct IP..

    ftp ftp.microsoft.com
    Connected to ftp.microsoft.akadns.net.
    220 Microsoft FTP Service
    User (ftp.microsoft.akadns.net:(none)): anonymous
    331 Anonymous access allowed, send identity (e-mail name) as password.
    230-Welcome to FTP.MICROSOFT.COM. Also visit http://www.microsoft.com/downloads.
    230 User logged in.
    ftp> ls
    500 Illegal PORT command
    Connection closed by remote host.

    See in the attached my client sends it private IP and port.. Server would never be able to connect to that and shows it with the 500 error..  Now if I install the active ftp package.. Then do the same thing it changes the IP to my public IP.. Both sniffs on pfsense wan interface..

    So here it works

    ftp ftp.microsoft.com
    Connected to ftp.microsoft.akadns.net.
    220 Microsoft FTP Service
    User (ftp.microsoft.akadns.net:(none)): anonymous
    331 Anonymous access allowed, send identity (e-mail name) as password.
    230-Welcome to FTP.MICROSOFT.COM. Also visit http://www.microsoft.com/downloads.
    230 User logged in.
    ftp> ls
    200 PORT command successful.
    125 Data connection already open; Transfer starting.
    226 Transfer complete.
    ftp: 113 bytes received in 0.01Seconds 22.60Kbytes/sec.

    Because installed proxy ftp package..  And now you notice on send to server public IP..  And then it connects from source port 20 to the port being sent by the client.  Pfsense auto opened that rule when it saw the connectivity.  And you can configure the package to even log that traffic.  Notice the port in the log is not the same as the port on the wan sniff because pfsense does nat via napt, etc..

  • one again tkanks for help:) what i'am goim to say now is funny - i know, but…all started to work...:) even site that i was writing on other post...:/ now i really don't know what is going on...any update? it had to take some time to refresh the rules (i killed states few times)... i don't know. What metters, is that now it is working like it is supposed to:)

    once again thanks for your great help:)

  • LAYER 8 Global Moderator

    "i really don't know what is going on"

    I completely agree you don't have a clue to whats going on ;)

    Do you even know if your clients are using active or passive? You mention "browser" this is their ftp client? You have not stated which they are using.  You have not stated what is doing the nat since you stated your pfsense is working as transparent.. I am not even sure that is the case to be honest ;)

    If there is something in front of pfsense doing nat, is there a ftp proxy/helper running on it?

    Have you sniffed to see exactly what is going on?  As you can see ftp is wide open to sniffing, you can see username sent, password sent port command or the passive command you can see what IP is gotten or given to the server and can work out the port with some simple math on the 2 numbers given.  1 number x 256 + the 2nd number will give you the port number.

    FTP has been dead for years I really don't see why anyone no matter where in the world they are would still be using it other than lazy freaking admins that don't shut them down and use sftp.. And sure it can be PITA because of the 2 different channels and possible different directions the data channel can be opened (active/passive) and then use of so called "clients" that are barely that and not really designed even do ftp (browsers!) and don't give any logs, etc. etc..  Then you have the added complexity of NAT in the mix not only possible on the client side but the server side, etc.  But when you come down too it very open straight forward protocol that is easy to troubleshoot since all the communication can be seen and in plain text so you know exactly what the server is telling the client or the client is telling the server, etc.

    So you not knowing what is going on comes down to your own issue if you ask me..  Simple sniff on pfsense would show you exactly what is going on.

  • i know that this is my lack of knowledge but i simply have no more time to learn it now.

    Some things you have to learn, if you're planning on accomplishing something.

    I bet your issue has to do with using a command line ftp client.  Those generally run in active mode, which means you'll have "fun" getting through NAT or firewalls.  Some command line clients can be switched to passive mode, others can't.  Browsers always, to my knowledge, use passive mode.  So, try the ftp site with a browser.  If it works then there's your answer.  You'll then have to use passive mode in in the command line, assuming your client supports it.

    BTW, I 2nd the suggestion you find something other than ftp.  Unless it's an open download site, other protocols are likely better.  Even if it is an open site, you may want to use something else.

  • LAYER 8 Global Moderator

    ^ exactly!!  If its a download site why would you not use http/https ??  Shoot even if you want users to upload shit, why not use https if you don't like sftp??  You mention using browser then the protocol they are designed for.

    Only reason to use sftp or yes even the really antiquated ftp would be if need to upload very large files http not really good at.  But if uses are just downloading shoot files in the gigs are not a problem.  If your transfer is automated/scripted then sure sftp/ftp are much easier to manipulate that way.

    If what you want to do is serve files to users to download anon then just put it on some http server.  If you want to control access for download https so users can login, or atleast have the login via https.  If they are just uploading files now and then same system with https login.  Shoot I do this for my own friends and family since using anything other than pointing and clicking seems to be too complicated for your typical user ;)  Plenty of free ways to skin this cat, I use http://www.kloudspeaker.com/ its FREE and very easy to setup and maintain..  For files that I serve up to the public, I compile iperf3 for windows for example I just have that serve up via http

    If your working with something that needs to be scripted sftp can be scripted just as easy as ftp if not easier and only requires 1 port..

    I just really don't see why ftp is still used, I really don't  I can not think of a use case where it would the best solution..  Only time I can see where you would have to do it sending getting files from somewhere and they are 10 years behind the times and still use ftp..  If that case connecting to ftp on the public internet is not a problem just use passive.. Like I said before have never seen any ftp server that is on the internet that did not support passive.  If your really stuck having to connect to some active ftp server on the public internet then install the ftp proxy package that allow active ftp outbound as long as its not ftps/ftpes