IIS FTP Server behind PfSense - Cannot list folders
-
Good morning pfSense community,
I'm trying to make a Windows IIS FTP server work behind our new PfSense to accept external connections for our tests, the problem is, from the outside I can't list any folder. It's possible to connect and authenticate to our FTP through cmd or Filezilla, but as I try to list files it gets stuck into this until timeout:
Comando: PWD
Resposta: 257 "/" is current directory.
Comando: TYPE I
Resposta: 200 Type set to I.
Comando: PASV
Resposta: 227 Entering Passive Mode (186,202,182,109,215,193).
Comando: LIST
Resposta: 150 Opening BINARY mode data connection.On Windows' IIS FTP I did set external firewall IP and the port range I want it to work. Did the corresponding rules on PfSense passing ports 20,21 and 5000-5020 (the specified range on Windows' IIS FTP).
I've been reading many articles here about this but I'm not sure where to start, could you please help me on this one? I'm stuck for days.
Thank you very much!
-
https://forum.pfsense.org/index.php?topic=15811.0
-
So a client connecting from the internet to ftp server behind a NAT using passive means the client would connect to the IP and port the server says to connect too.. so that 186.202.x.x IP at port 215*256 + 193 or 55233, did you forward that port to your ftp server?
You need to set your ftp server to use specific range of ports for its passive range, and then forward those to your server since firewall(pfsense) is not going to auto do that for you..
Not sure where you do that in IIS, or even if you can.. But in filezilla its real easy..
-
So a client connecting from the internet to ftp server behind a NAT using passive means the client would connect to the IP and port the server says to connect too.. so that 186.202.x.x IP at port 215*256 + 193 or 55233, did you forward that port to your ftp server?
You need to set your ftp server to use specific range of ports for its passive range, and then forward those to your server since firewall(pfsense) is not going to auto do that for you..
Not sure where you do that in IIS, or even if you can.. But in filezilla its real easy..
Thanks johnpoz that was it, now I did define the passive range on IIS, restarted the service and it did work. Great!
-
And you can remove that port forward to port 20. It is unnecessary and is not used.
-
Not sure where the nonsense of forwarding port 20 ever comes from.. There is ZERO scenarios where that would ever be forwarded anywhere… Yet in almost every single post where someone asks about ftp they forward that... How did that FUD ever get started, and why does it still exist?
-
Every description of FTP I've ever read has talked about 20 for data, 21 for control for active servers. Passive doesn't use 20.
-
But it is the client side that has to forward 20 in for active connections. That's what the ALG does.
-
I've never bothered to sniff a connection to see what's really going on. I hate FTP. I hated it so much that I took our company FTP server, threw it in the trash and put up a Nextcloud in its place.
-
20 is NEVER used as a dest port… It would be the source port in an active connection... There is NEVER a scenario where 20 would ever be a dest port.. Ever...
http://slacksite.com/other/ftp.html
Your active server behind the nat would initiate the connection to the client from source port 20, the return traffic would be allowed in because of the state. It never would need to be forward - unless you were talking about a stateless packet filter.
Client side in that connection the client would of told the active server what port to talk too.. It would just normally be from source port 20 to whatever dest the client told the server to connect too..
I agree I hate ftp - it should of died off 10+ years ago... But here we are talking about it, and still people don't understand how it works ;)
-
How did that FUD ever get started, and why does it still exist?
I guess some people don't know the difference between a source port and destination port. ;)
-
It is pretty much coming down to supporting legacy devices like copiers. One day we will be free from FTP. Probably about the same time people are thinking about IPv6-only deployments.
-
"I guess some people don't know the difference between a source port and destination port. "
Sing it baby Sing it ;) The lack of basic understanding never gets old… I do not expect billy bob that uses facebook and his iphone to post up shit on snapchat to have a clue.. But what drives me nuts is Kevin who is in IT and took over some network.. So he is the guy they brought in because the other guy wasn't good enough ;)
He doesn't get it.. WTF?????? You stated yourself you have never sniffed ftp to figure out how it works? How long have you been in the biz? I think you are longer than me? I know I am king of the uber geeks, and even nerds think I am a nerd.. While my networking coworkers go home and do whatever, I go home and play with tech shit because well I am a uber geek..
Im on my xmas break and what is fun to me is updating my pi's to stretch vs jessie.. Which meant I had to recompile ntp so my ntp server would work as stratum one off the gps module I added too it and ntp from repos doesn't support pps, etc.. Like I said I am the king of the uber geeks ;)
But come on ftp has been around since the 70's I was in 5th grad etc.. It has been around since before there was tcp/ip even.. How are you in the IT field and not fully understand how it works? It was slick in the days before.. But it should of been killed off 10 some years ago.. I mean not just oh don't use that any more - it should of been killed with fire and and everyone should of shut it down.. But its still around and billy the new user that just figured out what an IP is, wants to use something that should be dead... Might as well be talking about gopher or finger ;) Ftp should of died off with them..
But if your going to still use it - you need understand how it works ;)
Its like every other day we get some nonsense ftp question... Its like I am on CompuServe site or something... How is ftp is still something people use?? I have not downloaded or uploaded anything personal or even work related in 10+ years.. When I have to upload TB dumbs from a riverbed.. while they do still support ftp because I guess they have to until the last user turns it off.. I just sftp it too them.. I honestly can not recall the last time I actually was forced to use ftp.. KILL IT PLEASE!!!
-
I've never bothered to sniff a connection to see what's really going on.
Then you're ignoring a very useful tool. I frequently fire up Wireshark to see what's happening, to see how things work. As an example, I recently posted a thread about problems I was having in a hotel, where the WiFi was all but useless. By using Wireshark, I was able to see they had a severe DHCP problem, document the issue and advise the hotel & company responsible for the WiFi. They then fixed the problem. If it wasn't for me and Wireshark, the guests there would likely still have crappy WiFi.
A big part of solving any problem is understanding exactly what's happening.
-
I meant to specifically sniff an FTP connection. That was the context of what we were discussing. Of course I've done packet captures and analysis in Wireshark.