FTP Hell
-
I've searched, I've read all the related threads. I've tried everything mentioned. Nothing helps.
External traffic trying to access ftp server on internal network has serious problems.
Running latest rc2.
Tried with nat rules, without nat rules, with ftp proxy, without ftp proxy, auto rules, manual rules. port forwarding, no port forwarding.
command line works just fine. IE, firefox, etc etc. no go.
I can access the same ftp server just fine via a Juniper Netscreen firewall so the server is fine. the clients are fine. the firewall is the problem. Any ideas other than "it works for me" ?
I'
-
There where some bugs fixed recently.. Please upgrade to the latest snapshot mentioned in the announcements section.
-
running
RC2 built on Tue Aug 1 18:14:08 UTC 2006Newer than this?
-
Yes. You can view the date of the announcement in the forum.
-
okay. running RC2i now. Same problems.
I know this is in other threads but could you please give me a checklist of configuration items to verify?
Simple setup with 2 interfaces. what I call TRUST (green) and UNTRUST (red). /27 IP block, All addresses are proxy arped virtual addresses, 1:1 NAT setup for all.
All egress traffic is allowed.
Ingress is by explicit allowance.
FTP server is ProFTPd.
PassivePorts are set to 9000-9500 in ProFTPd server config.
Ports 20,21,9000-9500 are allowed by pfsense wan rules.FTP Proxy is enabled (unchecked) in wan interface settings.
-
Make sure the WAN interface has the FTP helper enabled. Reboot.
Then issue a ps awux | grep pftpx from the shell and post back the results.
-
RC2i is not the latest version. Use http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-07-06/
-
Hoba is correct. I should have noticed that before. Please upgrade to the latest snapshot.
-
-
It should have started a pftpx process for that nat redirects port 21.
-
Still having problems.
I've now also tried this :: http://wiki.pfsense.com/wikka.php?wakka=IncomingFTPHowTo
Still no dice connecting from a browser in passive mode.
I dont see any running pftpx processes.
Using 1:1 NAT. Can someone help me? If I cant resolve this I need to find another platform and start getting it built.
-
Update to the latest testing snapshot in ~sullrich
-
updated to latest image from the 10th. i now see the following process running which is an improvement.
407 con I 0:00.00 sh -c /usr/local/sbin/pftpx -c 81 -d -f 10.200.0.11 -g 81
10.200.0.11 is the internal address of the ftp server. 1:1 NAT from public IP -> Private IP.
Passive Mode still fails. I can login, but nothing else. Client either fails over to active mode or just errors out depending on client. Active mode works fine.
[11:45:29] SmartFTP v2.0.998.13
[11:45:29] Resolving host name "firefly.e-frontier.com"
[11:45:29] Connecting to 64.62.xxx.xxx Port: 21
[11:45:29] Connected to firefly.e-frontier.com.
[11:45:29] 220 ProFTPD 1.2.9 Server (ProFTPD Default Installation) [xxx]
[11:45:29] USER clwebmaster
[11:45:29] 331 Password required for xxx.
[11:45:29] PASS (hidden)
[11:45:30] 230 User xxx logged in.
[11:45:30] SYST
[11:45:30] 215 UNIX Type: L8
[11:45:30] Detected Server Type: UNIX
[11:45:30] FEAT
[11:45:30] 211-Features:
[11:45:30] MDTM
[11:45:30] REST STREAM
[11:45:30] SIZE
[11:45:30] 211 End
[11:45:30] PWD
[11:45:30] 257 "/data/httpd/www.xxx.com" is current directory.
[11:45:30] TYPE A
[11:45:30] 200 Type set to A
[11:45:30] PASV
[11:45:30] 227 Entering Passive Mode (10,200,0,11,36,146).
[11:45:30] Opening data connection to 10.200.0.11 Port: 9362
[11:45:30] LIST -aL
[11:45:30] 0 bytes transferred. (0 bytes/s) (47 ms) -
You are publishing a FTP service to the internet? If so you need to enable the ftp helper in interfaces, wan.
-
oh that was enabled long ago.
by enabled, you mean the box is unchecked on the wan interface right?
-
Yes. I don't see the pftpx process running for this case.
If you are using a VIP then you need to use a CARP type VIP instead of proxyarp.
-
It's possible that that instance we see running is the result of my inserting that line into the config file as per the little howto I found that I mentioned in a previous post.
Not an option in my environment. If I understand it correctly I would need to change my internal machines interface config to actually have the external address bound to it in order to make CARP work.
What I'm curious about is why this is so difficult. Passing FTP with iptables, or any number of other firewalls is no different than any other ruleset. Why is it such a big hassle with pfsense?
I appreciate all of your help and think what you're doing is great, i'm just looknig for some understanding.
-
<shellcmd>/usr/local/sbin/pftpx -c 81 -d -f 10.200.0.11 -g 81</shellcmd>
is what i added to the <system>section.</system>
-
Try out the CARP option. You won't be using it as a failvoer IP, it needs to have a real ip instead of proxyarp so that pftpx can bind to it.
As you can imagine pfSense is not linux / iptables. FTP has been the biggest pain in my ass and I really dislike it at this point, we'll just leave it at that.
-
<shellcmd>/usr/local/sbin/pftpx -c 81 -d -f 10.200.0.11 -g 81</shellcmd>
is what i added to the <system>section.</system>
Remove that, reboot.