Solve–>ftp-proxy problem
-
Dear all
I find some problem about ftp can not use.
In /etc/inc/filter.inc file,
$natrules .= "rdr on $realif proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
if I change it to
$natrules .= "rdr pass on $realif proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
I can use ftp through very well,I don't know why,share this information to everyone.Awwei
-
Which site could you not use? I just tested ftp.freebsd.org and ftp.microsoft.com from 2.0 and it worked fine?
-
Dear sullrich
My pfsense version is "2.0-ALPHA-ALPHA built on Tue Nov 25 14:59:09 EST 2008".
Wan port uncheck "Disable the userland FTP-Proxy application",lan port
check.
I use Windows xp ftp program to test.
I can not connect to ftp.freebsd.org,unless I addon "pass" to natrules.Awwei
-
The FTP proxy would only affect the LAN interface (outgoing to internet from LAN in this case).
Do you have a firewall turned on the XP machine?
-
awwei: can you post the contents of your /tmp/rules.debug from status.php?
-
Dear sullrich
I have try to turn off firewall.But still cannot work.
-
Dear cmb
Sure…..... /tmp/rules.debug list as below
#System aliases
loopback = "{ lo0 }"
HiNet4M1M = "{ bfe0 }"
LAN = "{ bge1 }"User Aliases
set loginterface bfe0
set loginterface bge1
set optimization normal
set limit states 47000scrub on $HiNet4M1M all fragment reassemble
scrub on $LAN all fragment reassemblenat-anchor "ftp-proxy/"
nat-anchor "natearly/"
nat-anchor "natrules/*"Outbound NAT rules
Subnets to NAT
tonatsubnets = "{ 192.168.210.0/24 }"
no nat on $HiNet4M1M to port tftp
nat on $HiNet4M1M from $tonatsubnets port 500 to any port 500 -> 211.20.66.190/32 port 500
nat on $HiNet4M1M from $tonatsubnets port 4500 to any port 4500 -> 211.20.66.190/32 port 4500
nat on $HiNet4M1M from $tonatsubnets port 5060 to any port 5060 -> 211.20.66.190/32 port 5060
nat on $HiNet4M1M from $tonatsubnets to any -> 211.20.66.190/32#SSH Lockout Table
table <sshlockout>persistLoad balancing anchor
rdr-anchor "relayd/*"
FTP proxy
rdr-anchor "ftp-proxy/"
rdr-anchor "tftp-proxy/"rdr on bge1 proto tcp from any to any port 21 -> 127.0.0.1 port 8022
rdr on bge1 proto udp from any to any port tftp -> 127.0.0.1 port 6969IMSpector rdr anchor
rdr-anchor "imspector"
UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "ftpsesame/"
anchor "relayd/"
anchor "firewallrules"
#---------------------------------------------------------------------------default deny rules
#---------------------------------------------------------------------------
block in all label "Default deny rule"
block out all label "Default deny rule"We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0snort2c
table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"package manager early specific hook
anchor "packageearly"
carp
anchor "carp"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
antispoof for bfe0block anything from private networks on interfaces with the option set
antispoof for $HiNet4M1M
block in quick on $HiNet4M1M from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in quick on $HiNet4M1M from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in quick on $HiNet4M1M from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in quick on $HiNet4M1M from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for bge1
anchor "spoofing"loopback
anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"anchor "firewallout"
let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state label "let out anything from firewall host itself"
make sure the user cannot lock himself out of the webConfigurator or SSH
anchor "anti-lockout"
pass in quick on bge1 from any to (bge1) keep state label "anti-lockout rule"NAT Reflection rules
package manager late specific hook
anchor "packagelate"
SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
anchor "ftp-proxy/*"enable ftp-proxy
pass in on $LAN inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost"
pass in on $LAN inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"User-defined aliases follow
User-defined rules follow
pass in quick on $LAN from 192.168.210.0/24 to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for local network(s)"
pass in quick on $LAN from 192.168.210.0/24 to <direct_networks>keep state label "NEGATE_ROUTE: Negate policy route for local network(s)"
pass in quick on $LAN route-to ( bfe0 211.20.66.161 ) from 192.168.210.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule"VPN Rules
anchor "limitingesr"
IMSpector
anchor "imspector"
uPnPd
anchor "miniupnpd"</direct_networks></vpns></sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></sshlockout>
-
Does it work if you change the destination to not 127.0.0.1 on default LAN rule?
-
I've been having problems with HP's FTp site for the last few days. I thought it was HP's problem, but then I disabled the FTP proxy and it works fine now..
Just FYI..
Riley
-
Should be fixed on later snapshots.
And for HP it need the RC959 workaround on system advanced. -
Dear ermal
I upgrade pfsense version to Mon Dec 1 04:58:27 EST 2008.
It's okay to use ftpThanks ermal