• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Solve–>ftp-proxy problem

Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
11 Posts 5 Posters 4.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    awwei
    last edited by Nov 27, 2008, 7:35 AM

    Dear all

    I find some problem about ftp can not use.
        In /etc/inc/filter.inc file,
        $natrules .= "rdr on $realif proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
        if I change it to
        $natrules .= "rdr pass on $realif proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
        I can use ftp through very well,I don't know why,share this information to everyone.

    Awwei

    1 Reply Last reply Reply Quote 0
    • S
      sullrich
      last edited by Nov 27, 2008, 7:24 PM

      Which site could you not use?  I just tested ftp.freebsd.org and ftp.microsoft.com from 2.0 and it worked fine?

      1 Reply Last reply Reply Quote 0
      • A
        awwei
        last edited by Nov 27, 2008, 7:59 PM

        Dear sullrich

        My pfsense version is "2.0-ALPHA-ALPHA built on Tue Nov 25 14:59:09 EST 2008".
                Wan port uncheck  "Disable the userland FTP-Proxy application",lan port
                  check.
                I use Windows xp ftp program to test.
                I can not connect to ftp.freebsd.org,unless I addon "pass" to natrules.

        Awwei

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by Nov 28, 2008, 3:27 AM

          The FTP proxy would only affect the LAN interface (outgoing to internet from LAN in this case).

          Do you have a firewall turned on the XP machine?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by Nov 28, 2008, 3:50 AM

            awwei:  can you post the contents of your /tmp/rules.debug from status.php?

            1 Reply Last reply Reply Quote 0
            • A
              awwei
              last edited by Nov 28, 2008, 10:09 AM

              Dear sullrich

              I have try to turn off firewall.But still cannot work.

              1 Reply Last reply Reply Quote 0
              • A
                awwei
                last edited by Nov 28, 2008, 10:14 AM

                Dear cmb

                Sure…..... /tmp/rules.debug list as below

                #System aliases

                loopback = "{ lo0 }"
                HiNet4M1M = "{ bfe0 }"
                LAN = "{ bge1 }"

                User Aliases

                set loginterface bfe0
                set loginterface bge1
                set optimization normal
                set limit states 47000

                scrub on $HiNet4M1M all    fragment reassemble
                scrub on $LAN all    fragment reassemble

                nat-anchor "ftp-proxy/"
                nat-anchor "natearly/
                "
                nat-anchor "natrules/*"

                Outbound NAT rules

                Subnets to NAT

                tonatsubnets    = "{ 192.168.210.0/24  }"
                no nat on $HiNet4M1M to port tftp
                nat on $HiNet4M1M from $tonatsubnets port 500 to any port 500 -> 211.20.66.190/32 port 500
                nat on $HiNet4M1M from $tonatsubnets port 4500 to any port 4500 -> 211.20.66.190/32 port 4500
                nat on $HiNet4M1M from $tonatsubnets port 5060 to any port 5060 -> 211.20.66.190/32 port 5060
                nat on $HiNet4M1M from $tonatsubnets to any -> 211.20.66.190/32

                #SSH Lockout Table
                table <sshlockout>persist

                Load balancing anchor

                rdr-anchor "relayd/*"

                FTP proxy

                rdr-anchor "ftp-proxy/"
                rdr-anchor "tftp-proxy/
                "

                rdr on bge1 proto tcp from any to any port 21 -> 127.0.0.1 port 8022
                rdr on bge1 proto udp from any to any port tftp -> 127.0.0.1 port 6969

                IMSpector rdr anchor

                rdr-anchor "imspector"

                UPnPd rdr anchor

                rdr-anchor "miniupnpd"

                anchor "ftpsesame/"
                anchor "relayd/
                "
                anchor "firewallrules"
                #---------------------------------------------------------------------------

                default deny rules

                #---------------------------------------------------------------------------
                block in  all label "Default deny rule"
                block out  all label "Default deny rule"

                We use the mighty pf, we cannot be fooled.

                block quick proto { tcp, udp } from any port = 0 to any
                block quick proto { tcp, udp } from any to any port = 0

                snort2c

                table <snort2c>persist
                block quick from <snort2c>to any label "Block snort2c hosts"
                block quick from any to <snort2c>label "Block snort2c hosts"

                package manager early specific hook

                anchor "packageearly"

                carp

                anchor "carp"
                table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
                antispoof for bfe0

                block anything from private networks on interfaces with the option set

                antispoof for $HiNet4M1M
                block in  quick on $HiNet4M1M from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
                block in  quick on $HiNet4M1M from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
                block in  quick on $HiNet4M1M from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
                block in  quick on $HiNet4M1M from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
                antispoof for bge1
                anchor "spoofing"

                loopback

                anchor "loopback"
                pass in on $loopback all label "pass loopback"
                pass out on $loopback all label "pass loopback"

                anchor "firewallout"

                let out anything from the firewall host itself and decrypted IPsec traffic

                pass out all keep state label "let out anything from firewall host itself"

                make sure the user cannot lock himself out of the webConfigurator or SSH

                anchor "anti-lockout"
                pass in quick on bge1 from any to (bge1) keep state label "anti-lockout rule"

                NAT Reflection rules

                package manager late specific hook

                anchor "packagelate"

                SSH lockout

                block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
                anchor "ftp-proxy/*"

                enable ftp-proxy

                pass in on $LAN inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost"
                pass in on $LAN inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"

                User-defined aliases follow

                User-defined rules follow

                pass  in  quick  on $LAN  from 192.168.210.0/24  to <vpns>keep state  label "NEGATE_ROUTE: Negate policy route for local network(s)"
                pass  in  quick  on $LAN  from 192.168.210.0/24  to <direct_networks>keep state  label "NEGATE_ROUTE: Negate policy route for local network(s)"
                pass  in  quick  on $LAN  route-to ( bfe0 211.20.66.161 )  from 192.168.210.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"

                VPN Rules

                anchor "limitingesr"

                IMSpector

                anchor "imspector"

                uPnPd

                anchor "miniupnpd"</direct_networks></vpns></sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></sshlockout>

                1 Reply Last reply Reply Quote 0
                • E
                  eri--
                  last edited by Nov 28, 2008, 4:12 PM

                  Does it work if you change the destination to not 127.0.0.1 on default LAN rule?

                  1 Reply Last reply Reply Quote 0
                  • S
                    Skud
                    last edited by Nov 29, 2008, 6:49 PM

                    I've been having problems with HP's FTp site for the last few days. I thought it was HP's problem, but then I disabled the FTP proxy and it works fine now..

                    Just FYI..

                    Riley

                    1 Reply Last reply Reply Quote 0
                    • E
                      eri--
                      last edited by Nov 29, 2008, 11:22 PM

                      Should be fixed on later snapshots.
                      And for HP it need the RC959 workaround on system advanced.

                      1 Reply Last reply Reply Quote 0
                      • A
                        awwei
                        last edited by Dec 1, 2008, 10:41 AM

                        Dear ermal

                        I upgrade pfsense version to Mon Dec 1 04:58:27 EST 2008.
                            It's okay to use ftp

                        Thanks ermal

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received