DMZ and FTP Out



  • Hey Guys,

    I'm trying to get ftp out working for my DMZ (OPT1). I do have pftpx turned on, and it works great for the LAN, but as for the DMZ, I can't get it running correctly. If I debug on pftpx (pftpx -d D7), any connections from the LAN go through fine, but anything from OPT1 never even gets an initial connection.

    My guess is something to do with the firewall rules for the pftpx/ftp proxy or a NAT/firewall rule I'm missing. Any ideas on howto get this working?

    Thanks,
    -Josh



  • I am probably wrong,  but might have something to do with the ftp helper option.  I red it in another post on here.



  • @josh:

    Hey Guys,

    I'm trying to get ftp out working for my DMZ (OPT1). I do have pftpx turned on, and it works great for the LAN, but as for the DMZ, I can't get it running correctly. If I debug on pftpx (pftpx -d D7), any connections from the LAN go through fine, but anything from OPT1 never even gets an initial connection.

    My guess is something to do with the firewall rules for the pftpx/ftp proxy or a NAT/firewall rule I'm missing. Any ideas on howto get this working?

    Thanks,
    -Josh

    0.94 was just released, please try that, there are numerous fixes in it.  Thanks

    –Bill



  • Seems this problem still exist in 0.94.10… I can't FTP out even if I disable the ftp-helper for the DMZ (OPT1)...
    And I've got the following stats:
    self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT

    137.189.91.191 is a anonymous FTP that I connect to, xx.xx.30.100 is my server IP under bridged DMZ



  • @simonchs:

    Seems this problem still exist in 0.94.10… I can't FTP out even if I disable the ftp-helper for the DMZ (OPT1)...
    And I've got the following stats:
    self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT

    137.189.91.191 is a anonymous FTP that I connect to, xx.xx.30.100 is my server IP under bridged DMZ

    Fixed in 0.95+



  • @sullrich:

    @simonchs:

    Seems this problem still exist in 0.94.10… I can't FTP out even if I disable the ftp-helper for the DMZ (OPT1)...
    And I've got the following stats:
    self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT

    137.189.91.191 is a anonymous FTP that I connect to, xx.xx.30.100 is my server IP under bridged DMZ

    Fixed in 0.95+

    I've just tried to disable the ftp-helper for LAN and WAN interface too, but still cannot get this work… is there any other setting I need to do?
    Thanks.



  • @simonchs:

    @sullrich:

    @simonchs:

    Seems this problem still exist in 0.94.10… I can't FTP out even if I disable the ftp-helper for the DMZ (OPT1)...
    And I've got the following stats:
    self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT

    137.189.91.191 is a anonymous FTP that I connect to, xx.xx.30.100 is my server IP under bridged DMZ

    Fixed in 0.95+

    Do you still entries like: self tcp 127.0.0.1:8022 ??

    I've just tried to disable the ftp-helper for LAN and WAN interface too, but still cannot get this work… is there any other setting I need to do?
    Thanks.



  • yup, I still got the

    self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT
    

    in "Diagnostics: Show States" when I FTP out in DMZ server.



  • @simonchs:

    yup, I still got the

    self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT
    

    in "Diagnostics: Show States" when I FTP out in DMZ server.

    Then the FTP helper isn't being deactivated.  Did you reboot after making the change?



  • @sullrich:

    Then the FTP helper isn't being deactivated.  Did you reboot after making the change?

    yes, had to reboot both pfsense and the server after made the change.



  • upgraded to BETA-1, and this problem still existing.



  • As you upgraded, can you try again with a fresh install and a from scratch recreated config without importing?



  • problem fixed after upgrade to 1.0-PREBETA2-BUG-VALIDATION-EDITION3
    thank you!  ;D



  • oh no…
    the problem haven't come out because the new option "Enable Filtering Bridge" was not checked, if I checked this option, the problem come back...

    tcp 127.0.0.1:8022 <- ftp.server.ip:21 <- ip.under.opt1:56357 CLOSED:SYN_SENT
    tcp 127.0.0.1:8022 <- ftp.server.ip:21 <- ip.under.opt1:56360 CLOSED:SYN_SENT



  • Add the rules to allow ftp to talk to localhost.


Locked