Ftp only works port connection type not passive

rsw686 · Sep 13, 2006, 11:56 PM

Is there something I am missing. FTP works only with the port connection type. Thus if I try and pull it up in firefox, etc that use passive connections it will not connect.

Heres the error using passive mode. Seems that pftpx is not giving out the lan ip address for the client to connect to.

COMMAND:> PASV
227 Entering Passive Mode (10,10,1,15,149,86)
COMMAND:> LIST
STATUS:> Connecting ftp data socket 10.10.1.15:38230…

hoba · Sep 13, 2006, 11:57 PM

In case you run anything older than this please upgrade: http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/

rsw686 · Sep 14, 2006, 5:02 AM

@hoba:

In case you run anything older than this please upgrade: http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/

I was using the 9-3-2006 snapshot, but just upgraded to the 9-12-2006 snapshot and am having the same issue still. Feel free to try and ftp to the server "wgnrs.dynalias.com". It accepts anonymous connections and is just a blank install of vsFTPd on Fedora Core 4.

passive mode communication
–-------------------------------------
mason> ftp
ftp> passive
Passive mode on.
ftp> open wgnrs.dynalias.com
Connected to wgnrs.dynalias.com.
220 (vsFTPd 2.0.3)
Name (wgnrs.dynalias.com): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
421 Service not available, remote server has closed connection
Passive mode refused. Try PORT
No control connection for command: Transport endpoint is not connected

port mode communication

mason> ftp
ftp> open wgnrs.dynalias.com
Connected to wgnrs.dynalias.com.
220 (vsFTPd 2.0.3)
Name (wgnrs.dynalias.com): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
pub
226 Directory send OK.
5 bytes received in 0.0036 seconds (1.36 Kbytes/s)

rsw686 · Sep 14, 2006, 5:11 AM

After the upgrade I'm now getting a ton of msntp errors so I am clean installing the snapshot. Well see how it goes.

Sep 14 01:21:33 msntp[3201]: msntp: Unknown error: 0
Sep 14 01:21:33 msntp[3201]: msntp: unable to locate IP address/number
Sep 14 01:21:33 msntp[3201]: msntp: bad daemon restart information
Sep 14 01:21:33 msntp[3201]: d=18000 c=5 x=18000 op=1 l=/var/run/msntp.pid f=/var/db/msntp.state 61.129.66.79
Sep 14 01:21:33 msntp[3201]: msntp options: a=2 p=0 v=1 e=0.100 E=5.000 P=2147483647.000

rsw686 · Sep 14, 2006, 5:44 AM

Got it clean installed to snapshot 09-12-06 and the msntp error looks like it cleared up see output below. I can't remember if the bad daemon restart information was always there or not. Anyways, ftp still has the same issue where passive transfers don't work.

Sep 14 01:52:45 msntp[636]: msntp: 2006 Sep 14 01:52:45.132 + -0.000 +/- 0.206 secs
Sep 14 01:52:45 msntp[636]: msntp: after 0.6 secs acc. 1 rej. 0 flush 0 max.off. 0.369 corr. 0.369
Sep 14 01:52:44 msntp[636]: msntp: using NTP server 20six.fr (84.16.227.161)
Sep 14 01:52:44 msntp[636]: msntp: bad daemon restart information
Sep 14 01:52:44 msntp[636]: d=18000 c=5 x=18000 op=1 l=/var/run/msntp.pid f=/var/db/msntp.state 84.16.227.161
Sep 14 01:52:44 msntp[636]: msntp options: a=2 p=0 v=1 e=0.100 E=5.000 P=2147483647.000

Gertjan · Sep 14, 2006, 8:28 AM

If your talking 'incoming ftp connection' to a internal FTP server on your LAN, then drop by overhere: http://forum.pfsense.org/index.php?topic=2071.msg11954#msg11954

If all these posts describe your problem, than you will find a temp. solution over there.

It's (re) boot persistent.

And, just tested, Active and Passive FTP transfer works. (FTP Server = Serv-U (demo-latest) on LAN, FTP Client accessing from the Internet, using SmartFtp (demo-latest).

PS: I don't think msntp is FTP related. I also upgraded to 1.0-SNAPSHOT-09-12-06 - built on Tue Sep 12 21:37:35 UTC 2006 - but didn't saw any issues. msntp just grabs the time from the net.

rsw686 · Sep 14, 2006, 12:50 PM

@Gertjan:

If your talking 'incoming ftp connection' to a internal FTP server on your LAN, then drop by overhere: http://forum.pfsense.org/index.php?topic=2071.msg11954#msg11954

If all these posts describe your problem, than you will find a temp. solution over there.

It's (re) boot persistent.

And, just tested, Active and Passive FTP transfer works. (FTP Server = Serv-U (demo-latest) on LAN, FTP Client accessing from the Internet, using SmartFtp (demo-latest).

PS: I don't think msntp is FTP related. I also upgraded to 1.0-SNAPSHOT-09-12-06 - built on Tue Sep 12 21:37:35 UTC 2006 - but didn't saw any issues. msntp just grabs the time from the net.

No I know the msntp issue is not related. Just that I was advised to goto the latest snapshot and when I did the upgrade msntp errors starting popping up every minute. Thus I ended up doing a clean install.

My ftp issue is not the same. My IP address hardly changes and I don't use PPoE. Yes this is an incoming ftp issue.

sullrich · Sep 14, 2006, 12:57 PM

Msntp has nothing to do with FTP. Upgrade to the latest testing snapshot.

Tomba · Sep 14, 2006, 3:28 PM

@rsw686:

Is there something I am missing. FTP works only with the port connection type. Thus if I try and pull it up in firefox, etc that use passive connections it will not connect.

Heres the error using passive mode. Seems that pftpx is not giving out the lan ip address for the client to connect to.

COMMAND:> PASV
227 Entering Passive Mode (10,10,1,15,149,86)
COMMAND:> LIST
STATUS:> Connecting ftp data socket 10.10.1.15:38230…

Did you make sure to define which ports the FTP server uses as PASV ports ? If you don't the FTP server will pick a free portnumber at random, which I'm sure your firewall will block.
If the answer is yes; do you also allow traffic to pass ? (Firewall –> Rules should have an entry for your PASV port range)
If the answer is no; define which ports the PASV data transport should use and add a rule to allow traffic to pass in pfSense.

BTW maybe you should consider using webdav; a client is default in almost any OS (including Windows) and when used with SSL it's safer than FTP as well (e.g. passwords don't get sent over the internet in clear text)

sullrich · Sep 14, 2006, 3:32 PM

There is no reason to forward anything but port 21.

The entire reason of the FTP helper is to prevent the user from needing to tear open the firewall.

The FTP Helper dynamically opens ports as they are needed.

Tomba · Sep 14, 2006, 5:01 PM

@sullrich:

There is no reason to forward anything but port 21.

The entire reason of the FTP helper is to prevent the user from needing to tear open the firewall.

The FTP Helper dynamically opens ports as they are needed.

I didn't know this was what the FTP helper was for :)

In that case I have the exact same problem because without the PASV port forwards enabled on my pfSense box (RC2) I get the exact same problem…. (with Serv-U FTP)

sullrich · Sep 14, 2006, 5:03 PM

Upgrade to http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/

rsw686 · Sep 14, 2006, 5:30 PM

@sullrich:

Upgrade to http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/

I already updated to the latest version SNAPSHOT-09-12-06 and am still having the problem. The ftp helper will not open the ports for passive mode. Only works for port mode. I even tried defining my ip address in vsftp for passive mode and it still does not work.

The guy who recommended I use something else, thats not the point. I would like to get FTP working. I normally use SSH anyways.

sullrich · Sep 14, 2006, 5:40 PM

#1 Make sure you are using CARP type ips for virtual ips
#2 Make sure the port forward is for port "21" ONLY

If you are on the latest version and follow the above it really should work.

Gertjan · Sep 14, 2006, 7:15 PM

@sullrich:

#1 Make sure you are using CARP type ips for virtual ips
#2 Make sure the port forward is for port "21" ONLY

If you are on the latest version and follow the above it really should work.

Sure ?

I'm using a PPPoE connection on the WAN interface, and I can assure you that

These two ones are running after reboot (and IP 24H 'hup'):
/usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1
/usr/local/sbin/pftpx -c 8022 -g 8021 192.168.2.1
This one won't be there (except when making an initial FTP port 21 rule in the NAT table - Apply)
/usr/local/sbin/pftpx -f 192.168.1.2 -b 82.125.93.41 -c 21 -g 21
If a FTP port 21 rule was already present, I have do remove ot before (as the 2 auto created firewall WAN rules).

Am I saying wrong, or do I miss something?
When filter.inc installs pftpx [wanIP] [lanIP]…, pftpx will bail out (visible in the system log).

Anyway, checking check_reload_status.c right now to see wo is runnig what and when.... (rather simple piece of code at first - but your baby IS complicated when you dig into it... )