Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Default allow LAN to any rule above VPN -> FTP Retrieving directory listing works on Unsecure FTP

    Firewalling
    2
    8
    349
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ressurex
      ressurex last edited by johnpoz

      Can some explain what I am doing right? Or Wrong??

      The problem was that I use a VPN gateway with allways on. ( privacy concern) And when using SFTP the download speed is 50%. But with normal unsecure ftp its almost 100%. And since I don’t need double encryption either unsecured is what I want due to download speeds of my very large files.

      I have standard firewall rules in LAN and the ones pfblockerNG has created including some LAN devices that are not allowed Internet access.
      Then I all ways have had the Default allow LAN to any rule at the button too. this has all ways worked fine.

      When I try to logon my ftp server using filezilla and normal unsecure ftp, it states the error:
      Error: Failed to retrieve directory listing

      Error:

      Command: CWD /LINUX/ISOS/FINISHED
      Response: 250 Directory successfully changed.
      Command: PWD
      Response: 257 "/LINUX/ISOS/FINISHED"
      Command: TYPE I
      Response: 200 Switching to Binary mode.
      Command: PORT 95,174,xx,xx,4,236
      Response: 200 PORT command successful. Consider using PASV.
      Command: LIST
      Response: 425 Failed to establish connection.
      Error: Failed to retrieve directory listing

      But!! When I move the Default allow LAN to any rule above VPN rules, the ftp Directory listing is successful, and I can browse and download etc.

      Success:

      Status: Resolving address of ftpserverDK.site
      Status: Connecting to (censored IP):21...
      Status: Connection established, waiting for welcome message...
      Status: Logged in
      Status: Retrieving directory listing of "/LINUX/ISOS/FINISHED "...
      Status: Directory listing of "/LINUX/ISOS/FINISHED” successful

      Is it just because the Default allow LAN to any rule above VPN rules will allow port 21 to be used for ftp?
      When I don’t move the Default allow LAN to any rule above VPN rules, SFTP normally works fine with port 22. But FTP doesn’t.

      Can someone tell me why that is so I understand the issue with my ftp server a bit. I really don’t see why Default allow LAN to any rule above VPN rules is a problem?? But I a bit worried if it gives me security issues I simply don’t understand hence my VPN and everything I worthless etc.

      Semi Newbie Question: Why does only Default allow LAN to any rule above VPN rules give my FileZilla a successful directory listing using ftp(21)?

      alt text

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by johnpoz

        @ressurex said in Default allow LAN to any rule above VPN -> FTP Retrieving directory listing works on Unsecure FTP:

        VPN rules give my FileZilla a successful directory listing using ftp(21)?

        Ftp doesn't use 21 for directory listing, that is just the control channel, data will be port 20 as source in active, your using active it seems like - since it suggest you switch to pasv.. And see the port command telling the server which IP and port to connect to..

        This can work if your using the ftp active package, but it would have to be setup to use the correct interfaces... And are you talking to the vpn endpoint for ftp or some other server past your vpn endpoint.. If past - your vpn endpoint would have to allow for the active connection to come back and be sent down the tunnel to you.

        I suggest you read up on how ftp works for control and data and difference between active and passive connections.
        https://slacksite.com/other/ftp.html

        Your going to be better off just using passive to access ftp servers outside pfsense, now pfsense doesn't need to create any firewall rules for the active to come back in.. And will allow you to route your traffic how you want via your vpn if you want.

        sftp works different - it only uses the one port (22).

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • ressurex
          ressurex last edited by

          THANKS! i thought it would be something concerning this. passive/active stuff.

          I have moved my Default allow LAN to any rule back to my working setup, this mean lowest possible. and below VPN.
          I will use SFTP which works fine and read up on this accordingly.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by johnpoz

            Happy to help - but to be honest you should of stopped using ftp like 10 years ago ;)

            Are you pushing or pulling files from this server - I just pull files from a remote server all the way in the NL while I am in the US over https, and I pretty much saturate my 500mbps line.. I see +40MBps all the time..

            btw: your listing a public IP in that port command.. If your ok with it fine, if not you might want to obscure the last couple of octets or something.. I can edit for you if desire.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • ressurex
              ressurex last edited by

              old habit i guess. i just like filezilla.
              yes please edit anything puplic. ftpserverDK.site is just a dummy though.

              thanks.

              have a nice day.

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                edited out the last couple of octets for you.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                1 Reply Last reply Reply Quote 0
                • ressurex
                  ressurex last edited by ressurex

                  Hi Jonhpoz

                  I solved it with following.

                  disabled the Default allow LAN to any rule
                  installed FTP Client Proxy package.
                  enabled it with local interface as LAN and Early Firewall Rule enabled.

                  Now filezilla work fine fine over passive ftp(21), Directory listing also.!

                  https://forum.netgate.com/topic/80717/ftp-client-proxy-package

                  this seemed to do what i was looking fore. I'm downloading with maximum speed now.
                  200Mbit.

                  thanks for your input also

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by johnpoz

                    You don't need the ftp package for passive. Only Active, unless your are super restrictive on your outbound rules.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post