Solve–>ftp-proxy problem



  • Dear all

    I find some problem about ftp can not use.
        In /etc/inc/filter.inc file,
        $natrules .= "rdr on $realif proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
        if I change it to
        $natrules .= "rdr pass on $realif proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
        I can use ftp through very well,I don't know why,share this information to everyone.

    Awwei



  • Which site could you not use?  I just tested ftp.freebsd.org and ftp.microsoft.com from 2.0 and it worked fine?



  • Dear sullrich

    My pfsense version is "2.0-ALPHA-ALPHA built on Tue Nov 25 14:59:09 EST 2008".
            Wan port uncheck  "Disable the userland FTP-Proxy application",lan port
              check.
            I use Windows xp ftp program to test.
            I can not connect to ftp.freebsd.org,unless I addon "pass" to natrules.

    Awwei



  • The FTP proxy would only affect the LAN interface (outgoing to internet from LAN in this case).

    Do you have a firewall turned on the XP machine?



  • awwei:  can you post the contents of your /tmp/rules.debug from status.php?



  • Dear sullrich

    I have try to turn off firewall.But still cannot work.



  • Dear cmb

    Sure…..... /tmp/rules.debug list as below

    #System aliases

    loopback = "{ lo0 }"
    HiNet4M1M = "{ bfe0 }"
    LAN = "{ bge1 }"

    User Aliases

    set loginterface bfe0
    set loginterface bge1
    set optimization normal
    set limit states 47000

    scrub on $HiNet4M1M all    fragment reassemble
    scrub on $LAN all    fragment reassemble

    nat-anchor "ftp-proxy/"
    nat-anchor "natearly/
    "
    nat-anchor "natrules/*"

    Outbound NAT rules

    Subnets to NAT

    tonatsubnets    = "{ 192.168.210.0/24  }"
    no nat on $HiNet4M1M to port tftp
    nat on $HiNet4M1M from $tonatsubnets port 500 to any port 500 -> 211.20.66.190/32 port 500
    nat on $HiNet4M1M from $tonatsubnets port 4500 to any port 4500 -> 211.20.66.190/32 port 4500
    nat on $HiNet4M1M from $tonatsubnets port 5060 to any port 5060 -> 211.20.66.190/32 port 5060
    nat on $HiNet4M1M from $tonatsubnets to any -> 211.20.66.190/32

    #SSH Lockout Table
    table <sshlockout>persist

    Load balancing anchor

    rdr-anchor "relayd/*"

    FTP proxy

    rdr-anchor "ftp-proxy/"
    rdr-anchor "tftp-proxy/
    "

    rdr on bge1 proto tcp from any to any port 21 -> 127.0.0.1 port 8022
    rdr on bge1 proto udp from any to any port tftp -> 127.0.0.1 port 6969

    IMSpector rdr anchor

    rdr-anchor "imspector"

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    anchor "ftpsesame/"
    anchor "relayd/
    "
    anchor "firewallrules"
    #---------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in  all label "Default deny rule"
    block out  all label "Default deny rule"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    snort2c

    table <snort2c>persist
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"

    package manager early specific hook

    anchor "packageearly"

    carp

    anchor "carp"
    table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
    antispoof for bfe0

    block anything from private networks on interfaces with the option set

    antispoof for $HiNet4M1M
    block in  quick on $HiNet4M1M from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in  quick on $HiNet4M1M from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in  quick on $HiNet4M1M from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in  quick on $HiNet4M1M from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    antispoof for bge1
    anchor "spoofing"

    loopback

    anchor "loopback"
    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"

    anchor "firewallout"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out all keep state label "let out anything from firewall host itself"

    make sure the user cannot lock himself out of the webConfigurator or SSH

    anchor "anti-lockout"
    pass in quick on bge1 from any to (bge1) keep state label "anti-lockout rule"

    NAT Reflection rules

    package manager late specific hook

    anchor "packagelate"

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
    anchor "ftp-proxy/*"

    enable ftp-proxy

    pass in on $LAN inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost"
    pass in on $LAN inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"

    User-defined aliases follow

    User-defined rules follow

    pass  in  quick  on $LAN  from 192.168.210.0/24  to <vpns>keep state  label "NEGATE_ROUTE: Negate policy route for local network(s)"
    pass  in  quick  on $LAN  from 192.168.210.0/24  to <direct_networks>keep state  label "NEGATE_ROUTE: Negate policy route for local network(s)"
    pass  in  quick  on $LAN  route-to ( bfe0 211.20.66.161 )  from 192.168.210.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"

    VPN Rules

    anchor "limitingesr"

    IMSpector

    anchor "imspector"

    uPnPd

    anchor "miniupnpd"</direct_networks></vpns></sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></sshlockout>



  • Does it work if you change the destination to not 127.0.0.1 on default LAN rule?



  • I've been having problems with HP's FTp site for the last few days. I thought it was HP's problem, but then I disabled the FTP proxy and it works fine now..

    Just FYI..

    Riley



  • Should be fixed on later snapshots.
    And for HP it need the RC959 workaround on system advanced.



  • Dear ermal

    I upgrade pfsense version to Mon Dec 1 04:58:27 EST 2008.
        It's okay to use ftp

    Thanks ermal


Log in to reply