Ftp only works port connection type not passive



  • Is there something I am missing. FTP works only with the port connection type. Thus if I try and pull it up in firefox, etc that use passive connections it will not connect.

    Heres the error using passive mode. Seems that pftpx is not giving out the lan ip address for the client to connect to.

    COMMAND:> PASV
    227 Entering Passive Mode (10,10,1,15,149,86)
    COMMAND:> LIST
    STATUS:>  Connecting ftp data socket 10.10.1.15:38230…



  • In case you run anything older than this please upgrade: http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/



  • @hoba:

    In case you run anything older than this please upgrade: http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/

    I was using the 9-3-2006 snapshot, but just upgraded to the 9-12-2006 snapshot and am having the same issue still. Feel free to try and ftp to the server "wgnrs.dynalias.com". It accepts anonymous connections and is just a blank install of vsFTPd on Fedora Core 4.

    passive mode communication
    –-------------------------------------
    mason> ftp     
    ftp> passive
    Passive mode on.
    ftp> open wgnrs.dynalias.com
    Connected to wgnrs.dynalias.com.
    220 (vsFTPd 2.0.3)
    Name (wgnrs.dynalias.com): anonymous
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> cd pub
    250 Directory successfully changed.
    ftp> ls
    421 Service not available, remote server has closed connection
    Passive mode refused. Try PORT
    No control connection for command: Transport endpoint is not connected

    port mode communication

    mason> ftp           
    ftp> open wgnrs.dynalias.com
    Connected to wgnrs.dynalias.com.
    220 (vsFTPd 2.0.3)
    Name (wgnrs.dynalias.com): anonymous
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> cd pub
    250 Directory successfully changed.
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    226 Directory send OK.
    ftp> cd ..
    250 Directory successfully changed.
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    pub
    226 Directory send OK.
    5 bytes received in 0.0036 seconds (1.36 Kbytes/s)



  • After the upgrade I'm now getting a ton of msntp errors so I am clean installing the snapshot. Well see how it goes.

    Sep 14 01:21:33 msntp[3201]: msntp: Unknown error: 0
    Sep 14 01:21:33 msntp[3201]: msntp: unable to locate IP address/number
    Sep 14 01:21:33 msntp[3201]: msntp: bad daemon restart information
    Sep 14 01:21:33 msntp[3201]: d=18000 c=5 x=18000 op=1 l=/var/run/msntp.pid f=/var/db/msntp.state 61.129.66.79
    Sep 14 01:21:33 msntp[3201]: msntp options: a=2 p=0 v=1 e=0.100 E=5.000 P=2147483647.000



  • Got it clean installed to snapshot 09-12-06 and the msntp error looks like it cleared up see output below. I can't remember if the bad daemon restart information was always there or not. Anyways, ftp still has the same issue where passive transfers don't work.

    Sep 14 01:52:45 msntp[636]: msntp: 2006 Sep 14 01:52:45.132 + -0.000 +/- 0.206 secs
    Sep 14 01:52:45 msntp[636]: msntp: after 0.6 secs acc. 1 rej. 0 flush 0 max.off. 0.369 corr. 0.369
    Sep 14 01:52:44 msntp[636]: msntp: using NTP server 20six.fr (84.16.227.161)
    Sep 14 01:52:44 msntp[636]: msntp: bad daemon restart information
    Sep 14 01:52:44 msntp[636]: d=18000 c=5 x=18000 op=1 l=/var/run/msntp.pid f=/var/db/msntp.state 84.16.227.161
    Sep 14 01:52:44 msntp[636]: msntp options: a=2 p=0 v=1 e=0.100 E=5.000 P=2147483647.000



  • If your talking 'incoming ftp connection' to a internal FTP server on your LAN, then drop by overhere: http://forum.pfsense.org/index.php?topic=2071.msg11954#msg11954

    If all these posts describe your problem, than you will find a temp. solution over there.

    It's (re) boot persistent.

    And, just tested, Active and Passive FTP transfer works. (FTP Server = Serv-U (demo-latest) on LAN, FTP Client accessing from the Internet, using SmartFtp (demo-latest).

    PS: I don't think msntp is FTP related. I also upgraded to 1.0-SNAPSHOT-09-12-06 - built on Tue Sep 12 21:37:35 UTC 2006 - but didn't saw any issues. msntp just grabs the time from the net.



  • @Gertjan:

    If your talking 'incoming ftp connection' to a internal FTP server on your LAN, then drop by overhere: http://forum.pfsense.org/index.php?topic=2071.msg11954#msg11954

    If all these posts describe your problem, than you will find a temp. solution over there.

    It's (re) boot persistent.

    And, just tested, Active and Passive FTP transfer works. (FTP Server = Serv-U (demo-latest) on LAN, FTP Client accessing from the Internet, using SmartFtp (demo-latest).

    PS: I don't think msntp is FTP related. I also upgraded to 1.0-SNAPSHOT-09-12-06 - built on Tue Sep 12 21:37:35 UTC 2006 - but didn't saw any issues. msntp just grabs the time from the net.

    No I know the msntp issue is not related. Just that I was advised to goto the latest snapshot and when I did the upgrade msntp errors starting popping up every minute. Thus I ended up doing a clean install.

    My ftp issue is not the same. My IP address hardly changes and I don't use PPoE. Yes this is an incoming ftp issue.



  • Msntp has nothing to do with FTP.  Upgrade to the latest testing snapshot.



  • @rsw686:

    Is there something I am missing. FTP works only with the port connection type. Thus if I try and pull it up in firefox, etc that use passive connections it will not connect.

    Heres the error using passive mode. Seems that pftpx is not giving out the lan ip address for the client to connect to.

    COMMAND:> PASV
    227 Entering Passive Mode (10,10,1,15,149,86)
    COMMAND:> LIST
    STATUS:>  Connecting ftp data socket 10.10.1.15:38230…

    Did you make sure to define which ports the FTP server uses as PASV ports ? If you don't the FTP server will pick a free portnumber at random, which I'm sure your firewall will block.
    If the answer is yes; do you also allow traffic to pass ? (Firewall –> Rules should have an entry for your PASV port range)
    If the answer is no; define which ports the PASV data transport should use and add a rule to allow traffic to pass in pfSense.

    BTW maybe you should consider using webdav; a client is default in almost any OS (including Windows) and when used with SSL it's safer than FTP as well (e.g. passwords don't get sent over the internet in clear text)



  • There is no reason to forward anything but port 21.

    The entire reason of the FTP helper is to prevent the user from needing to tear open the firewall.

    The FTP Helper dynamically opens ports as they are needed.



  • @sullrich:

    There is no reason to forward anything but port 21.

    The entire reason of the FTP helper is to prevent the user from needing to tear open the firewall.

    The FTP Helper dynamically opens ports as they are needed.

    I didn't know this was what the FTP helper was for :)

    In that case I have the exact same problem because without the PASV port forwards enabled on my pfSense box (RC2) I get the exact same problem…. (with Serv-U FTP)





  • @sullrich:

    Upgrade to http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/

    I already updated to the latest version SNAPSHOT-09-12-06 and am still having the problem. The ftp helper will not open the ports for passive mode. Only works for port mode. I even tried defining my ip address in vsftp for passive mode and it still does not work.

    The guy who recommended I use something else, thats not the point. I would like to get FTP working. I normally use SSH anyways.



  • #1 Make sure you are using CARP type ips for virtual ips
    #2 Make sure the port forward is for port "21" ONLY

    If you are on the latest version and follow the above it really should work.



  • @sullrich:

    #1 Make sure you are using CARP type ips for virtual ips
    #2 Make sure the port forward is for port "21" ONLY

    If you are on the latest version and follow the above it really should work.

    Sure ?

    I'm using a PPPoE connection on the WAN interface, and I can assure you that

    1. These two ones are running after reboot (and IP 24H 'hup'):
      /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1
      /usr/local/sbin/pftpx -c 8022 -g 8021 192.168.2.1
    2. This one won't be there (except when making an initial FTP port 21 rule in the NAT table - Apply)
      /usr/local/sbin/pftpx -f 192.168.1.2 -b 82.125.93.41 -c 21 -g 21
      If a FTP port 21 rule was already present, I have do remove ot before (as the 2 auto created firewall WAN rules).

    Am I saying wrong, or do I miss something?
    When filter.inc installs pftpx [wanIP] [lanIP]…, pftpx will bail out (visible in the system log).

    Anyway, checking check_reload_status.c right now to see wo is runnig what and when.... (rather simple piece of code at first - but your baby IS complicated when you dig into it...  )


Locked