Default allow LAN to any rule above VPN -> FTP Retrieving directory listing works on Unsecure FTP

ressurex

Can some explain what I am doing right? Or Wrong??

The problem was that I use a VPN gateway with allways on. ( privacy concern) And when using SFTP the download speed is 50%. But with normal unsecure ftp its almost 100%. And since I don’t need double encryption either unsecured is what I want due to download speeds of my very large files.

I have standard firewall rules in LAN and the ones pfblockerNG has created including some LAN devices that are not allowed Internet access.
Then I all ways have had the Default allow LAN to any rule at the button too. this has all ways worked fine.

When I try to logon my ftp server using filezilla and normal unsecure ftp, it states the error:
Error: Failed to retrieve directory listing

Error:

Command: CWD /LINUX/ISOS/FINISHED
Response: 250 Directory successfully changed.
Command: PWD
Response: 257 "/LINUX/ISOS/FINISHED"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PORT 95,174,xx,xx,4,236
Response: 200 PORT command successful. Consider using PASV.
Command: LIST
Response: 425 Failed to establish connection.
Error: Failed to retrieve directory listing

But!! When I move the Default allow LAN to any rule above VPN rules, the ftp Directory listing is successful, and I can browse and download etc.

Success:

Status: Resolving address of ftpserverDK.site
Status: Connecting to (censored IP):21...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing of "/LINUX/ISOS/FINISHED "...
Status: Directory listing of "/LINUX/ISOS/FINISHED” successful

Is it just because the Default allow LAN to any rule above VPN rules will allow port 21 to be used for ftp?
When I don’t move the Default allow LAN to any rule above VPN rules, SFTP normally works fine with port 22. But FTP doesn’t.

Can someone tell me why that is so I understand the issue with my ftp server a bit. I really don’t see why Default allow LAN to any rule above VPN rules is a problem?? But I a bit worried if it gives me security issues I simply don’t understand hence my VPN and everything I worthless etc.

Semi Newbie Question: Why does only Default allow LAN to any rule above VPN rules give my FileZilla a successful directory listing using ftp(21)?

alt text

johnpoz

@ressurex said in Default allow LAN to any rule above VPN -> FTP Retrieving directory listing works on Unsecure FTP:

VPN rules give my FileZilla a successful directory listing using ftp(21)?

Ftp doesn't use 21 for directory listing, that is just the control channel, data will be port 20 as source in active, your using active it seems like - since it suggest you switch to pasv.. And see the port command telling the server which IP and port to connect to..

This can work if your using the ftp active package, but it would have to be setup to use the correct interfaces... And are you talking to the vpn endpoint for ftp or some other server past your vpn endpoint.. If past - your vpn endpoint would have to allow for the active connection to come back and be sent down the tunnel to you.

I suggest you read up on how ftp works for control and data and difference between active and passive connections.
https://slacksite.com/other/ftp.html

Your going to be better off just using passive to access ftp servers outside pfsense, now pfsense doesn't need to create any firewall rules for the active to come back in.. And will allow you to route your traffic how you want via your vpn if you want.

sftp works different - it only uses the one port (22).

ressurex

THANKS! i thought it would be something concerning this. passive/active stuff.

I have moved my Default allow LAN to any rule back to my working setup, this mean lowest possible. and below VPN.
I will use SFTP which works fine and read up on this accordingly.

johnpoz

Happy to help - but to be honest you should of stopped using ftp like 10 years ago ;)

Are you pushing or pulling files from this server - I just pull files from a remote server all the way in the NL while I am in the US over https, and I pretty much saturate my 500mbps line.. I see +40MBps all the time..

btw: your listing a public IP in that port command.. If your ok with it fine, if not you might want to obscure the last couple of octets or something.. I can edit for you if desire.

ressurex

old habit i guess. i just like filezilla.
yes please edit anything puplic. ftpserverDK.site is just a dummy though.

thanks.

have a nice day.

johnpoz

edited out the last couple of octets for you.

ressurex

Hi Jonhpoz

I solved it with following.

disabled the Default allow LAN to any rule
installed FTP Client Proxy package.
enabled it with local interface as LAN and Early Firewall Rule enabled.

Now filezilla work fine fine over passive ftp(21), Directory listing also.!

https://forum.netgate.com/topic/80717/ftp-client-proxy-package

this seemed to do what i was looking fore. I'm downloading with maximum speed now.
200Mbit.

thanks for your input also

johnpoz

You don't need the ftp package for passive. Only Active, unless your are super restrictive on your outbound rules.