Pfsense Block access external Public FTP

doguibnu · May 31, 2018, 2:49 PM

Hello!
How are you?

On our scenario we need access a FTP: ftp://datasus.gov.br (is a Microsoft ftp) through pfsense. It can not ping address and not connect the ftp. If we off Pfsense and try connect through "pure" net without Pfsense, the connection works right . Here on forum, some people tell me to install Ftp client proxy to solve the problem. I did install. So, I can access ftp by console and list. But not ping. The service is used by government system health. The web system create a database and the user send information through this ftp address inside the web system

How to fix this?

Thanks

Douglas

johnpoz · May 31, 2018, 3:05 PM

@doguibnu said in Pfsense Block access external Public FTP:

datasus.gov.br

Your saying it answers ping when your direct connected to internet? You do understand that not all IPs will answer ping. I do not see it answering ping from my connection.

Its up to the owner of said ip/device if it should answer ping. For example pfsense out of the box will not answer ping to its wan IP from the internet. If you want it answer ping you have to add that firewall rule.

doguibnu · Jun 1, 2018, 11:42 AM

@johnpoz
Thanks your attention

with console mode, I can access the ftp from service. But, inside web page service (where users uses the service), it can not access, only got error when click connect to send database. Some people tell me to install ftp proxy to solve, I do it but, the problem continue!

I do not know what to do more to fix this.

Thanks attention and help

Douglas

johnpoz · Jun 1, 2018, 1:34 PM

Well the proxy package only works with active connections..

You need to understand what server is doing and what the client is doing.

http://slacksite.com/other/ftp.html
Active FTP vs. Passive FTP, a Definitive Explanation

For starters ftp is very antiquated and not secure... I would suggest you use a more current way to have your users upload files - say sftp or just web via https even.

Other than that I would suggest you use a client on the users machine like filezilla which will show you full logs of the connection and allow you to pick active or passive and see the port and pasv commands so you can understand what ports are trying to be used as the data connection so you can troubleshoot the problem.

doguibnu · Jun 1, 2018, 1:34 PM

@johnpoz said in Pfsense Block access external Public FTP:

Well the proxy package only works with active connections..

You need to understand what server is doing and what the client is doing.

http://slacksite.com/other/ftp.html
Active FTP vs. Passive FTP, a Definitive Explanation

For starters ftp is very antiquated and not secure... I would suggest you use a more current way to have your users upload files - say sftp or just web via https even.

Other than that I would suggest you use a client on the users machine like filezilla which will show you full logs of the connection and allow you to pick active or passive and see the port and pasv commands so you can understand what ports are trying to be used as the data connection so you can troubleshoot the problem.

John!
The service is provide by external government service not inside my server.
The question is: When Pfsense is OFF and we testing the connection, it works fine. We can see that our Internet provider is ok. But, if we ON Pfsense, pfsense block this connection to government service. I Think that has block port or service inside pfsense that do not let works. We allright make contact to government technical service to see that our public IP was blocked at government server service side and is not blocked

Here at our scenario we have a 2 FTP servers and works nice too much time without problems

Thanks

johnpoz · Jun 1, 2018, 2:51 PM

Let me say this yet again - you need to understand what your doing for ftp is it active or passive.

The ftp package is only going to help with active connection.

If your users client will not do active and they are only running active then no its not going to work. I would suggest you pleas read through the doc I linked to it explains the difference between active and passive and which direction the data connection is made.

Are you locking down outbound connection? In a passive connection the server will give inside the control channel the IP and port to the client should connect to. Its all gone over in the doc I linked to in very easy to understand and diagrams showing the steps in the different connection methods.

Pfsense works just fine for both active (helper) and passive ftp connections. But if you do not provide more info then I can not help you find your problem... If the client is unable to provide log - then sniff on pfsense. ftp is in the clear - again going to state this again it is NOT secure.. The username and password are sent in the clear. So sniffing at the firewall will allow you to see all the commands sent via the control channel.. And the answers, etc.

doguibnu · Jun 2, 2018, 7:16 PM

@johnpoz

thanks so much your attention
I would like to say that this FTP it is not our FTP. Our network need to access ftp://ftp.datasus.gov.br.
This I do not understand.
you tell me that I need do ftp rule to access other side?
Sorry, Im lost

johnpoz · Jun 3, 2018, 9:49 AM

OMG - dude... Did you read the link I provided?

What is the server you going to doing active and passive? Or only passive? The package you added will only help in connecting to server doing active.

If the server will not do passive, and your client can not do active - then no your not going to get it to work..

Understand if you are using active/passive and IF you are doing any rules on your lan that limit access is how you fix your problem..

I don't even seem then answering

Status: Resolving address of ftp.datasus.gov.br
Status: Connecting to 189.28.143.164:21...
Status: Connection established, waiting for welcome message...
Error: Connection timed out after 20 seconds of inactivity
Error: Could not connect to server

Are they running ftps ftpes, are they running on a different control port than 21.. There server doesn't even answer back after initial connection.

doguibnu · Jun 4, 2018, 2:29 PM

@johnpoz
Hello!

I did the rule at Frirewall- wan-
Source: 189.28.143.164
Source Port range: 20

Destination: any

But on FTP client proxy?
Is there some configuration?

This option to create this rule, other forum user told me to try. He think thant can Active FTP (to set port 20)

Not work with this rule
Thanks you attention

johnpoz · Jun 4, 2018, 2:44 PM

You need to understand if the client is doing passive or active.

Yes in active mode the server would be coming FROM source port 20, but to what dest port. And you have to make sure the client is handing out its public IP that can be forwarded. The active ftp package should do all of this for you.

In passive mode source port 20 would never be used.

So again - what is your client using passive, active? Look at the logs of your ftp client. If client does not show a log then sniff the ftp control channel on firewall and it will show you all the commands since its all in the clear and you can see the port or pasv command to know exactly what is attempting to happen for the data channel to be opened.

doguibnu · Jun 4, 2018, 2:58 PM

@johnpoz

To stay more clear I will connect the ftp out of this pfsense network with filezilla and see the log and post here if you can help me, ok?

thanks

johnpoz · Jun 4, 2018, 3:18 PM

yes!!! If you show me the logs from filezilla client - the full detail logs then we can figure out what is going on.

Give me a sec and can give you example of trying to connect to passive from a client and why there can be problems. And how the active works.

So for example here is connection to ftp.redhat.com

Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PORT 64,53,x,x,243,86
Response: 550 Permission denied.
Command: PASV
Response: 227 Entering Passive Mode (209,132,183,61,206,2)
Command: LIST
Response: 150 Here comes the directory listing.
Response: 226 Directory send OK.

You can see both active connection and passive connection. I have the client give out my public so that is that 64.43.x.x and then the port would be 243x256 + 86 or port 62294

In the passive server says connect to it at 209.132.186.61 IP port 206x256 + 2 or 52738

If I don't tell my client to use its public IP you get this command.

Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PORT 192,168,9,101,243,123
Response: 550 Permission denied.
Command: PASV
Response: 227 Entering Passive Mode (209,132,183,61,215,34)
Command: LIST
Response: 150 Here comes the directory listing.
Response: 226 Directory send OK.
Status: Directory listing of "/redhat/3scale" successful

See that port is giving my machines IP 192.168.9.101 - that would never work and the server gave me a 550, so it switched into passive mode and the client switched to passive mode so it could connect to the server on the IP and port given.

doguibnu · Jun 5, 2018, 12:11 AM

Hello!
How are you

here is the log connecting ftp out of Pfsense network. I hope can see light to fix the rule.
Thank you

Status: Resolving address of ftp.datasus.gov.br
Status: Connecting to 189.28.143.164:21...
Status: Connection established, waiting for welcome message...
Response: 220 Microsoft FTP Service
Command: USER anonymous
Response: 331 Anonymous access allowed, send identity (e-mail name) as password.
Command: PASS **************
Response: 230 User logged in.
Command: SYST
Response: 215 Windows_NT
Command: FEAT
Response: 211-Extended features supported:
Response: LANG EN*
Response: UTF8
Response: AUTH TLS;TLS-C;SSL;TLS-P;
Response: PBSZ
Response: PROT C;P;
Response: CCC
Response: HOST
Response: SIZE
Response: MDTM
Response: REST STREAM
Response: 211 END
Command: OPTS UTF8 ON
Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (189,28,143,164,21,249).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Response: 226 Transfer complete.
Status: Directory listing successful

johnpoz · Jun 5, 2018, 9:21 AM

@doguibnu said in Pfsense Block access external Public FTP:

Command: PASV
Response: 227 Entering Passive Mode (189,28,143,164,21,249).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Response: 226 Transfer complete.
Status: Directory listing successful

your connecting passive all is working fine there

doguibnu · Jun 5, 2018, 11:31 AM

Right,
This log is from out Pfsense network
How to configure the rule on PFsense to work inside pfsense?
I did try many times some rules configuration to pass this ftp
I do not know how to fix!

Thanks

doguibnu · Jun 5, 2018, 12:03 PM

SOLVED

Steps:
Install FTP client proxy package
Go to Service - FTP client proxy
Click to Select Enable the FTP proxy
On Local Interface - Select Lan
Click Save

Go to Firewall-Rules-Wan
New Rule
Action: Pass
Interface: Wan
Protocol: TCP

Source: Single host or alias
IP: IP ftp service
Source Port Range
From: 21
To: 249 (on my scenario)

Destination: any
Destination Port Range
From: 21
to: 249

Click on Save

Why port 249?

The log from filezilla on out Pfsense network show:
Response: 227 Entering Passive Mode (IP ftp service**,21,249**).

Now its works fine

Thanks Johnpoz and all for attention and help

Douglas

johnpoz · Jun 5, 2018, 12:50 PM

No No No...

None of that has anything to do with any of it..

Talking to a public IP outside pfsense from a client inside pfsense using passive has ZERO need for any port forward or wan rule. While port 21 is the default control port of ftp. how you read passive command is WRONG..

Again I am going to ask have you even bothered to look at the link I provided on how ftp works..

Again your statement is completely wrong with how ftp works..

This statement
Passive Mode (189,28,143,164,21,249).

Is telling the client to talk to IP 189.28.143.164 on port (21x256)+249 = port 5625

For a client to talk a ftp server outside pfsense from inside pfsense there is ZERO to do.. Since the client will create the connection to the server and the default rules on lan are any any.. Unless you have modified your lan rules from any any there is nothing to do to talk passive to a ftp server on the public internet from behind pfsense

For client to talk to server in active mode, then you need the ftp proxy package installed an setup. So that it can open the inbound traffic for the data channel to be opened.

doguibnu · Jun 5, 2018, 4:13 PM

@johnpoz said in Pfsense Block access external Public FTP:

No No No…
None of that has anything to do with any of it…
Talking to a public IP outside pfsense from a client inside pfsense using passive has ZERO need for any port forward or wan rule. While port 21 is the default control port of ftp. how you read passive command is WRONG…
Again I am going to ask have you even bothered to look at the link I provided on how ftp works…
Again your statement is completely wrong with how ftp works…
This statement
Passive Mode (189,28,143,164,21,249).
Is telling the client to talk to IP 189.28.143.164 on port (21x256)+249 = port 5625
For a client to talk a ftp server outside pfsense from inside pfsense there is ZERO to do… Since the client will create the connection to the server and the default rules on lan are any any… Unless you have modified your lan rules from any any there is nothing to do to talk passive to a ftp server on the public internet from behind pfsense
For client to talk to server in active mode, then you need the ftp proxy package installed an setup. So that it can open the inbound traffic for the data channel to be opened.

I am sorry!
I do not what to do more.
Which your suggestion to configure in right mode?

Yes I did read your link about the differences active and passive ftp.
I will again and again

But, inside PFsense, how to configure?

I will search more information about

Thanks you

johnpoz · Jun 5, 2018, 4:20 PM

there is NOTHING to configure in pfsense for client talking passive.. Nothing unless you modified the default rules to block ports? What are your current lan rules?

Only if your using active to talk to the server do you need the active ftp package helper.. From your log you were using passive and working..

Please post log of your client that is NOT working when behind pfsense and your LAN rules..

doguibnu · Jun 6, 2018, 12:45 AM

Hello!
Please, look at this link. He seems was the same difficult that me.

https://www.experts-exchange.com/questions/28546035/Trouble-accessing-FTP-sites-via-pfSense.html

I think that I need to do a Lan Rule to pass on ports 20 and 21, right?

Other point:
On my filezilla log inside PFsense network also show me Grey color text (not green) after the wrong wan rule that you show me.
Can be the way

Thanks