Set up issues on FTP



  • Dear All,

    We have a small problems in allowing user to login to our FTP server under the Bridge (Transparent) mode through PF.

    After digging the forum, one of the solutions is goto Firewall>NAT>Outbound> "check" Manual Outbound NAT rules generation (Advanced Outbound NAT (AON))> in the rules "check" the static-port in the Translation.

    Now the PF allow customer to ftp to my server in pasv mode. But in the PF Dash Board top banner show the following messages:

    Acknowledge All [filter_load] There were error(s) loading the rules: /tmp/rules.debug:26: the static-port option is only valid with nat rulespfctl: Syntac error in config file: pf rules not loaded The line in question [26]: no nat on $wan from 123.123.123.123/27 to any static-port

    Could somebody give me some suggestion, I am very puzzle on this FTP issues.

    Many thanks, :-[

    David



  • I have same problem.

    • I've used pfSense under Bridge (Transparent) mode like this:
              Internet –---> (OPT2) pfSense (OPT1)  ----->  FTP Server (Srv-U on Windows 2003 with Public IP).
    • My pfSense box have 4 10/100/1000 Ethernet: LAN, WAN, OPT1 and OPT2
    • OPT1 Brigded with OPT2 (Use for filtering FTP, Web, ....), LAN/WAN for control (not use for filter).
    • I added one rule in OPT2 allow pass throught TCP 20 + 21 ports.
    • I disabled FTP Helper in OPT2 and OPT1 but checked FTP option in Advanded configuration (about port 20/21 and RFC 959,...)
    • I can conect to FTP Server from Internet by access to Public IP of this Server (Passive mode).
    • But I can't LIST or download/upload data to/from Server.
    • If I add a rule allow pass from all to all (*  to *) in OPT2, I can LIST or download/upload data to/from Server. When i disabled this rule, i can LIST or download/upload data to/from Server.

    I think this problem ussue because pfSense box don't allow request/response bettween FTP client and FTP Server in some ports. But i don't know those ports to open in my pfSense box. I can't open everything because i want to block all and only open something like FTP, Web, Mail,...

    Why? Everyone can resolv it for me, please...



  • Hi,

    I know exactly what you mean. After you connect to the ftp server and the messages indicated you are being connected but it won't show the Directory listing.

    In my Wan to Lan ftp rules, sources is  *  and Port is  *  and the Destination is Lan net and Port  is  21

    Or you can try the source port is 1024 - 65535 and the Destination port is 21

    For outgoing Lan to Wan, I just set Destination port to *

    Funny enough after i do a fresh install the whole box couple of times. The error messages of the static port went away and people can access our ftp server. I had such problems over one months since i created the topic but did not get any answer.

    I tried the update snapshot method to see if it could fixed the problems. But it crashed my box beyond reboot.

    I do not know if the follow could work, you can try to download the 1.2.3 RC 1 from the Germany Mirror site and restore all your configuration (If you do have the time to test). The problems might go away. It is not a scientific way, since I am not yet a subscriber member, this is how i solved the problems…. :'(

    Good luck.


Log in to reply