FTP client proxy can't use aliases.



  • The FTP client proxy needs to learn how to honor aliases. If I put an alias in the bypass field, it doesn't bypass for any IP's. Now, I have to choose one address to bypass. Fortunately, in day to day, that is just barely enough, but a much better approach would be to have it honor aliases. It says it does, but it actually doesn't. Now, I have to literally temporarily switch that IP address manually to be able to FTP out to any one specific IP, as the proxy breaks as much as it helps.

    It also desperately needs a field for specific sources to proxy, so you can run it as "proxy nothing, except these specific internal hosts". I have an old FTP program that fetches non-sensitive data from a monolithic bureaucracy and I'm sure they'll ditch FTP soon. Maybe even this century, if we're lucky.  That old software fails completely without the proxy. But now, of course, many other FTP transfers break instead, so I'm stuck in a lesser of two evils situation.

    And on a side note, for the pfSense team just randomly deciding that FTP is no longer of use and people should just quit using it is arrogant to say the least. It's a shitty but valid protocol and many of us have to support it. You can strongly recommend it be scrapped (and I agree with that wholeheartedly) but breaking the firewall for FTP on purpose is just not cool.

    I'm grateful for the FTP proxy package - without it, my rollout of pfSense would literally have failed and I would have had to scramble to put the old firewall back and agree on rolling back multiple VPN's to the old and crappy settings so it was a near run thing - but please please take it one more level up and a) give us the option to  select only specific hosts to proxy and b) make the bypass field (well, every field) honor aliases so it's not limited to literally bypassing just one single destination IP.



  • The client proxy ftp-package is a separate package, and you should probably post those suggestion in one of the threads (bugs or development).

    Regarding pfSense dropping ftp-support in general - no comment.



  • The sticky FTP proxy thread is locked for comments, at least. Maybe I just didn't spot the right thread, I'll look again. I can't see any other bug or development threads.

    But I would really appreciate if it was looked at to see why aliases don't work. It was mentioned in the locked sticky as well, but the user mentioning it got no feedback.

    Yeah, I guess I'm still a little rattled over how close it was that I would have needed to roll back to the old crappy firewall over something so insignificant as FTP. Oh well, the FTP proxy is a just barely sufficient bandaid… but it's kind of broken around the edges, thus these posts.


  • Banned

    
    # pfctl -vvsa | grep ftp | grep -v tftp
    @13(0) nat-anchor "ftp-proxy/*" all
    @21(0) rdr-anchor "ftp-proxy/*" all
    @22(0) no rdr on em0 inet proto tcp from any to <ftp_proxy_bypass:3>port = ftp
    @23(0) rdr pass on em0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
    @217(0) anchor "ftp-proxy/*" all</ftp_proxy_bypass:3> 
    
    
    # pfctl -t FTP_Proxy_Bypass -T show
       31.x.x.x
       46.x.x.x
       188.x.x.x
    
    
    
    # pfctl -vvsTables
    ...
    -pa-r-- FTP_Proxy_Bypass
            Addresses:   3
            Cleared:     Sat Nov 19 13:41:49 2016
            References:  [ Anchors: 0                  Rules: 1                  ]
            Evaluations: [ NoMatch: 99682              Match: 21953              ]
            In/Block:    [ Packets: 0                  Bytes: 0                  ]
            In/Pass:     [ Packets: 0                  Bytes: 0                  ]
            In/XPass:    [ Packets: 0                  Bytes: 0                  ]
            Out/Block:   [ Packets: 0                  Bytes: 0                  ]
            Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
            Out/XPass:   [ Packets: 0                  Bytes: 0                  ]
    ...
    
    

    I cannot see how this "can't use aliases". Sorry.



  • Well, I haven't checked it on that level  but I can say that if I put two IP's into an alias, and try to use that alias in the FTP proxy, the bypass stops working immediately.

    If I type in an IP address for the destination bypass, it immediately starts working.

    So I can use an alias, but not if I want to actually have things work. :)

    I did check, and this is what it says when I go looking after having put in the alias again instead of the IP. If I run this command with the one IP in there, it shows an IP where the alias is here. That works - this did not:

    
    /root: pfctl -sa | grep ftp
    nat-anchor "ftp-proxy/*" all
    rdr-anchor "tftp-proxy/*" all
    rdr-anchor "ftp-proxy/*" all
    no rdr on igb0 inet proto tcp from any to <ftpproxybypass>port = ftp
    rdr pass on igb0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
    no rdr on igb2 inet proto tcp from any to <ftpproxybypass>port = ftp
    rdr pass on igb2 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
    anchor "ftp-proxy/*" all
    anchor "tftp-proxy/*" all</ftpproxybypass></ftpproxybypass> 
    

    I note that on mine, there's no number in the alias; it just says FTPProxyBypass. Could that be relevant? I'm admittedly bad at decoding this pf stuff directly.

    Edit some more: I re-read https://forum.pfsense.org/index.php?topic=89841.msg507286#msg507286 and tried adding the bypasses as x.x.x.x/32 networks instead of hosts and it seems to be working.

    That still leaves me wishing there was a field where you could explicitly say what IP you want to proxy, so that the default was no proxying as opposed to proxying everything except what is bypassed.


  • Banned

    @KimmoJ:

    I note that on mine, there's no number in the alias; it just says FTPProxyBypass. Could that be relevant? I'm admittedly bad at decoding this pf stuff directly.

    Yes, your alias is not getting resolved/parsed/expanded properly by pfSense. You are putting something broken in there. Not related to the package at all, I'm afraid.



  • I'm confused, how can you put anything broken in an IP alias?

    It's literally a list of IP's you enter in the GUI.

    I did seem to see similar issues with aliases in some of my firewall rules, but 99.9% of them are still built around aliases and work. But in some of them I had to explicitly write IP's directly to get traffic to move.