FTP passive mode



  • Hi All,

    I have a windows ftp server behind a PFSense Netgate SG-4860 1:1 NAT.
    I can ftp to it from the outside but can only list files and dir when passive mode is off.
    ftp from with in the LAN I can list files and dirs with both passive and no-passive mode.
    WE just recently moved from Linux IP tables firewall. Setup was 1:1 NAT, ports 20 21 are
    forwarded to the internal ip, destination port range 1024-65535 with a source
    port of 20 is also forwarded. This set works for passive and no-passive mode. I did
    the same configuration on pfsense but con only make non-passive mode. I read somewhere
    someone as able to get it tow work by adding outbound rule but did not elaborate on
    the actual rule.

    Thanks


  • LAYER 8 Global Moderator

    "Setup was 1:1 NAT, ports 20 21 are "

    when do you forward ports in a 1:1?  You mean the ports were allowed in the firewall?

    So did you read the sticky on this or the doc?
    https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense

    https://forum.pfsense.org/index.php?topic=15811.0
    The part without the helper/proxy for ftp since that went away multiple revisions ago.

    Here is rule one with getting ftp working behind a firewall/nat be it active or passive server behind or really any possible combination.  Actually understanding how ftp works in active or passive mode.  When you state that you had forwarded port 20 clearly you not understanding how it works.  In NO scenario would port 20 ever need to be forwarded.

    I suggest you read
    http://slacksite.com/other/ftp.html

    And then create the firewall rules to allow it to work.. To allow active connects to your server behind pfsense really all that is need is forward 21.  Since the server would be making the data connection from source port 20 to IP and Port client tells the server to connect too.  Out of the box pfsense does not block any outbound ports.. If you have modified this then sure you would have to allow the ftp server to talk atleast from source port 20 to anywhere the client might come from.

    To allow passive to server behind pfsense, again you have to forward 21 and then any of the passive ports the ftp server might tell the client to connect too.  Since there is no helper/proxy in pfsense to auto do this for you.  So setup your ftp server to use a specific port range for these connections for example 50000 to 51000 and make sure the ftp server gives out his actual public IP he is behind and not his local rfc1918 address.

    Setting up ftp behind pfsense is actually all of 30 seconds if you understand how ftp works and how to configure your ftp server.

    On a side note to be honest ftp has been depreciated for years.. I would look to better more secure method of moving files be it sftp or even https etc..



  • "when do you forward ports in a 1:1?  You mean the ports were allowed in the firewall?"

    Maybe I am doing my 1:1 NAT wrong. This is how I did it:
    1] Under Firewall, I created a Virtaul IP (the public IP of the ftp server)
    2] Under Firewall -> NAT I created the 1:1 NAT - Interface is WAN
        -external subnet ip is the external ip address of ftp server.
        - internal IP is single host withthe ip of the internal ftp server.

    Since it was 1:1 NAT I though all I had to do was allow ports to the virtual (public) ip address.
    When that did not work I ended up port forwarding it instead.

    Thanks


  • LAYER 8 Global Moderator

    So what firewall rule on wan did you create?
    "Since it was 1:1 NAT I though all I had to do was allow ports to the virtual (public) ip address."

    From the 1:1 doc
    https://doc.pfsense.org/index.php/1:1_NAT
    "To allow traffic in from the Internet, a firewall rule must be added on the associated WAN interface allowing the desired traffic, using the destination IP of the internal private IP."

    I am not really a fan of 1:1 nat to be honest..  Unless you were going to hand off this connection to some sort of customer and doing an any any sort of rule and all the security is on the customer.  Better solution would be to just route the public IP space to the client directly vs having to do any sort of nat.

    For ftp you sure don't need or want 1:1  Most servers even if sort everything on 1 box would still be just a handful of ports needed.  How many possible services are you providing the public internet?



  • The ftp server is also an http server. So the first thing I tried to open was http port for the public ip address.
    I tested it by connecting to the web server's public IP from outside and I could not get connected.

    I will consider removing 1:1 NAT for most of our servers except for the mail server which has a PTR
    record associated with it to avoid getting rejected by other mail servers.

    So if I understand correctly, I would create a Virtual IP under firewall, forget 1:1 NAT and just port forward
    to the internal IP address?

    Thank you,


  • LAYER 8 Global Moderator

    what does PTR have to do with 1:1 nat??

    Yes if your going to want to do some other public IP in your port forward you would create a vip and port forward traffic to port on that IP to whatever you want to send it too.  Then you have to make sure you outbound nat is using this vip or you run into a issue where your trying to answer from a different public IP then the outside client started the conversation with.



  • Thanks for the tips. I got the passive/active ftp mode working but on a test box running window 2008 server.
    ftp server on it has more options like using public ip address. Unfortunately, I can only assign port range on
    windows 2003 not public ip address.

    I have another issue where in computers inside our LAN can not do active ftp only passive. Not much of
    a big deal since we can change our programs to use passive. But I will try to correct that eventually.

    Re: PTR record. if our mail server is not 1:1 natted and it introduces itself to another mail server, wouldn't
    the other mail server see the IP address of the router and if they do reverse look up to see if the ip address
    matches the FQDN our mail server used in the ehlo part of the smtp handshake our mail server could be
    rejected. I guess this is when I have to add an outbound nat rule. Can you provide me with a link on how
    to outbound nat?

    Appreciate your help. Thank you.


  • LAYER 8 Global Moderator

    if your email server is talking to another email server yes it would present its name, the IP address it is taking from would have to be your public IP there is no way it could talk to these public servers via its private address.  Pfsense automatically does the outbound nat for you.. If you want to use a specific IP for outbound nat then sure you could do that for example you could create an outbound nat when dest is port 25 it uses specific vip, etc.

    As to how this server your talking to checks the PTR has nothing to do with the NAT.  It sees the IP your coming from and does a lookup for the ipaddress.in-addr.arpa name.. The answer to this is controlled by the owner of that public IP space.  Your ISP for example if this address block has not been delegated or assigned to you by the owner of the space.

    
    220 resomta-ch2-15v.sys.comcast.net resomta-ch2-15v.sys.comcast.net ESMTP server ready
    helo test.test.com
    250 resomta-ch2-15v.sys.comcast.net hello [24.13.snipped], pleased to meet you 
    
    

    So see how when I send the helo command even though I give a name it still sees my public IP.  So it would then do a ptr on that IP address.

    ;; QUESTION SECTION:
    ;snipped.13.24.in-addr.arpa.    IN      PTR

    ;; ANSWER SECTION:
    snipped.13.24.in-addr.arpa. 7200 IN      PTR    c-24-13-snipped.hsd1.il.comcast.net.

    Yes you should get PTR setup by the owners of that IP to match the fqdn your smtp server is going to use.  So if your smtp server calls itself mail.domainx.com and comes from your public IP address 1.2.3.4 then yes get with your isp if they have not delegated that control to you to setup a ptr for your IP to match the name your mail server presents.

    as to why your local clients can not do active to your local ftp server.. That makes no sense they are both on rfc1918 address space, and your not natting between these networks are you.  Are they on the same network or different ones you route/firewall through pfsense?  If so you need to make sure that the interface that the ftp server is connected to would allow the traffic to your other lan segment.  In an active connection the server would initiate the conversation to the client to the port the client said to use.  Its possible your client is running a software firewall and blocking this?  Is possible your firewall rules on your ftp segment are preventing the ftp server from creating the conversation, its possible your doing some sort of policy based routing on this ftp segment and the conversation for the data channel the ftp server is trying to start to your client is being routed out the vpn?  Lots of possible things that could be wrong - without understanding your whole setup its hard to say what is causing you the pain.

    As to limitation in your ftp server your trying to use.. You can either work around them, or just use a different ftp server.  There are plenty of FREE ones to choose from that run on multiple OSes, etc.  Just because your a MS shop and have MS servers does not mean you need to only use the ftp server that is part of 2k3 for example.  That you still have 2k3 boxes in your windows network is sad to hear.. You do understand 2k3 was eol last year, even the extended support for 2k3 and 2k3r2 I believe was july 2015, we are now Aug 2016 all of your 2k3 boxes should of be decom'd, updated, replaced couple years ago ;)



  • I know Private IP can not be used outside of local LAN. The issue is which public IP address will the other server see.
    So if I don't use 1:1 NAT and use a VIP to route say smtp port to a Private IP,  pfsense will automagically use the VIP
    associated with that PIP even it's our smtp that initiated that connection? I was under the impression that if I don't
    use 1:1 NAT pfsense will use/present it's WAN address. Like when I browse from the smtp server and ask 'what is my ip?"
    I get the IP address of the pfsense WAN. We do have a PTR record which is the VIP for our mail server.

    Local clients meaning with in the LAN is not the problem. It's our clients outside of LAN that is having the issue. I guess
    linux iptables is more permissive (can be a good thing and a bad thing). We had a discussion this morning and I was asked
    how was it working on linux? Anyway, as a band aid solution we are keeping the linux server just for that ftp server. The rest
    of our servers are behind PFsense now. If I remember correctly, we tried upgrading from Win2003 to Win2008 a while back
    and we ran into some problem configuring RAS dialup on win2008. The ftp server is used by a well known courier's clients to
    upload manifest, download update to shipping software. We're sort of working as a broker between the courier and their clients.
    Some clients have internet connection and some uses modem to get a ppp connection to our ftp server so they can upload/download.
    Yeah you can laugh… 2016 and they still use modems.

    The IIS/ftp is tied in a way so that an ftp client user can get automatically created. Don' ask me I did not write the program and I
    am not a programmer. So 3rd party siftware is out of the question. Only option is to upgrade to a newer version of Winblows/IIS.  ;)
    If I have a choice I would run the ftp server on *nix box, believe me I fought with those programmers but in the end they are the
    ones coding not me.

    Thanks a lot.


  • LAYER 8 Global Moderator

    You do not need to do a 1:1 nat to have your smtp server use your vip for outbound - you just need to edit the outbound rules for that.  Yes out of the box your outbound nat would use the native IP on your wan interface IP for the nat.

    But you can clearly setup even just using hybrid mode on your outbound that a specific server for its outbound connections use a VIP for its outbound connection if that is what you want.

    "It's our clients outside of LAN that is having the issue"

    So pubic internet..  You do understand that in an active connection issues it could be on their side as well right..  If they do not have a helper and they are behind a nat, or some other firewall in play even.

    In ftp when the data connection is made it will be a new unsolicited connection.  So if client is behind a nat without a helper and tries to make a active connection their firewall/nat has to allow for this new unsolicited to be opened/forwarded in their firewall/nat..  In passive mode as long as they do not filter outbound connections they are fine..  Because the connection from the clients point of view will be only outbound conversations initiated by the client.  In an active connection the client will initiate the conversation but the data will be started from the server.  So while your firewall might allow the outbound from your server their firewall/nat could be blocked, etc.  Even if they send you the correct IP.. Which they might not even be doing.  I would suggest you watch the ftp traffic and see exactly what is going on when they do active do they send you a public IP for your server to connect to or do they send your rfc1918?

    So I am going to state again running ftp server requires the admin to fully understand how ftp works both active and passive and how much a PITA working through firewalls and nats can be..  Even more so when clients and the server are both behind nats..

    As to still using modems - yeah that is not really funny, more sad to be honest.  Do you live and work in 3rd world country somewhere in the back waters of the planet?? ;)



  • So I need to go to Firewall -> NAT -> Outbound and create a rule there?
    In the case of smtp how should I fill in those fields (Interface, Protocol, Source etc.)
    Sorry to be such a bother, if the firewall is not already live I would try things out.

    I understand how ftp is a bit more tricky than other services, even before pfsense.
    I really appreciate your patience trying to get the idea across.

    I guess you can call Canada a third world country.  ;D
    Like I said, our client is a major courier. I can't tell you who they are…
    hint starts with U and ends with S.  ;)
    I guess I don't have to tell you how much legacy stuff is still running on some of
    the fortune 500 companies. Heck they still using PDP11 in nuclear plants.

    Cheers!


  • LAYER 8 Netgate

    The ftp server is also an http server. So the first thing I tried to open was http port for the public ip address.
    I tested it by connecting to the web server's public IP from outside and I could not get connected.

    That is from a few posts back but it sounds like you are placing firewall rules with a destination of WAN address. If so, that would be wrong. The address and port in the firewall rules is the post-NAT, or "real," listening IP address and port on the server being connected to on the inside.


  • LAYER 8 Global Moderator

    "In the case of smtp how should I fill in those fields (Interface, Protocol, Source etc.)"

    Well the protocol is tcp.. email sure is not sent via udp ;)  Source would be the IP address of your smtp server.  Interface would be your wan but you pick the vip you want to use.. Dest could be just 25 which is the port email is sent on..

    So is there any reason this server can not just use your vip for everything?  If so then it makes real easy just put in his IP and the vip..

    So see my attached example.. Lets pretend that 192.168.100.2 is a public IP that you created on your wan as a vip, etc.




  • @Derelict:

    The ftp server is also an http server. So the first thing I tried to open was http port for the public ip address.
    I tested it by connecting to the web server's public IP from outside and I could not get connected.

    That is from a few posts back but it sounds like you are placing firewall rules with a destination of WAN address. If so, that would be wrong. The address and port in the firewall rules is the post-NAT, or "real," listening IP address and port on the server being connected to on the inside.

    Yeah that was the case, after putting the PIP it started working as advertised.

    Thanks



  • @johnpoz:

    "In the case of smtp how should I fill in those fields (Interface, Protocol, Source etc.)"

    Well the protocol is tcp.. email sure is not sent via udp ;)  Source would be the IP address of your smtp server.  Interface would be your wan but you pick the vip you want to use.. Dest could be just 25 which is the port email is sent on..

    So is there any reason this server can not just use your vip for everything?  If so then it makes real easy just put in his IP and the vip..

    So see my attached example.. Lets pretend that 192.168.100.2 is a public IP that you created on your wan as a vip, etc.

    That is what I am doing. I have about a dozen public VIPs all using the WAN interface. One VIP is for email with ports 25,465,993,995 open.
    Another server using yet another VIP is listening on UDP port range 25000:25000  for GPS coordinates to track municipality service vehicles
    like plow and salter. Some of our servers are actually in the could, that's how I started using PFSense, the cloud company uses it to manage
    access to the virtual servers.

    Anyway I am getting side tracked here. I will try the outbound NAT rule on our other smtp server, that one is not used that much. I don't want
    to fudge up the other one that is already working.

    Thanks for you input again.


Log in to reply