What is pftpx?
-
i check in my pfsense, i have only squid packages installed.
However starting last week i keep seeing "pfsense01 pftpx[749] server refuse connection" in my syslog.i check in web, it relate to FTP. however i did not configure any FTP server here. the connection keep coming every hour…
What happened??
-
It's the ftp-helper that opens ports for active ftp connections through the firewall when needed or replaces the provate IPs at your end of the connection with the public IP at your WAN interface. FTP is quite a tricky protocol. However, if you don't like it you can disable it per interface (see interfaces>interfacename in the webgui, it's a checkbox called ftp-helper).
-
…and:
The pftpx helper-app will be started only if you natted port 21 from WAN to an internal LAN address.I'll bet you have a line like that on your "NAT GUI page" (2 more are added automaticly on your Firewall Rules WAN page).
The solution is : if you don't use/need incoming FTP connections, don't nat port 21 to anywhere (on your LAN). Then pftpx won't be started - so it won't be triggered when someone knocks on your WAN-21 port…
-
under FTP Helper , i had checked "Disable the userland FTP-Proxy application" at both my WAN and DMZ interface.
However when i checked "Disable the userland FTP-Proxy application" at my LAN interface, althought in the firewall rules i allowed FTP, but user will not be able to FTP to server in the Internet.
I did not do any NAT/ port redirect in my NAT from WAN to LAN.
What can i do to get rid of the error?
-
Make sure you are on the latest version: http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-26-06/
-
However when i checked "Disable the userland FTP-Proxy application" at my LAN interface, althought in the firewall rules i allowed FTP, but user will not be able to FTP to server in the Internet.
Just tried that. I checked them all on all my interfaces (non bridged) - I could still use a FTP client from LAN segment to visit ftp.us.debian.org just very well (passive mode).
I did not do any NAT/ port redirect in my NAT from WAN to LAN.
Post here from SSH: ps auwx | grep pftpx | grep -v grep to see who is listening on your WAN interface.
What can i do to get rid of the error?
Use the latest one: 1.0-SNAPSHOT-09-26-06 - …...
Some pftpx startup logic has being changed 10 days ago. -
1. I had tried disable the userland FTP Proxy application at my LAN Interface. Is able to FTP to the server mentioned. However when i disable the FTP proxy, my other FreeBSD server will not be able to run pkg_add from the LAN.
2. I think is my LAN interface is listening. I am right?
ps auwx | grep pftpx |grep -v grep
proxy 742 0.0 0.0 656 420 ?? Ss 3:43PM 0:00.07 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.0.229
3. I had update to the latest 1.0-SNAPSHOT-09-26-06
-
RC3 was just released. Give that a try please.
-
2. I think is my LAN interface is listening. I am right?
ps auwx | grep pftpx |grep -v grep
proxy 742 0.0 0.0 656 420 ?? Ss 3:43PM 0:00.07 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.0.229
There should be a second line saying :
…
proxy 8180 0.0 0.1 656 444 ?? SNs 1:51PM 0:00.00 /usr/local/sbin/pftpx -f 192.168.1.2 -b 90.5.251.247 -c 21 -g 21
192.168.1.2 -> is my local FTP server.
90.5.251.247 -> is my (current) WAN IP…It's working .... :)
-
Dear All,
This is my current configuration
LAN - Disable FTP Helper - UNCHECKED
DMZ - Disable FTP Helper - Checked
WAN - Disable FTP Helper - CheckedScenario 1:
If i select Disable FTP Helper in LAN, users in LAN will not be able to access to the FTP server in DMZ using Smart FTP program. It have problem listing the folders.Scenario 2:
I have another FTP server in LAN, when access from public, it have problem listing the folders. I had allowed FTP access to the server in the firewall rules. The server is using 1:1 NAT.Any ideas?
-
There was a couple FTP bugs fixed when you do not have a default allow LAN rule installed. Is this the case for you?
-
I define all the rules in LAN interface without using the default rules. In this case i should not have the FTP problem mentioned??
-
If you are not using a default allow all LAN rule then this is a bug and will be fixed in the next coming weeks.
-
Thanks Sullrich.
-
Dear Sullrich,
I had patched my PFsense to 1.0.1-SNAPSHOT-01-24-2007
Referring to FTP discussion in the forum i had configure my PFSENSE as below
WAN & LAN interface - disable the userland FTP proxy application - UNCHECKED
My FTP server connected to LAN interface and using NAT to have its own public address.
In firewall rules:
LAN - server outgoing to any - FTP (21) allow.
WAN - any incoming to FTP server - FTP(21) allow.When i test from public, i am able to FTP to the server public address and authenticate. However unable to transfer data or do listing.
I assume that this latest Snapshot had fixed the bug you mentioned.
-
also be sure wat you are doing. for passive ftp mode you need to map a large amount of tcp ports on your ftp-server and allow this ports to interact with any and cofigure this ports to be used by your ftp server for passive ftp mode. for active ftp mode you no only need to map 21 port to your ftp server, but also allow traffic going from port nr 20 to any from ftp server.
-
The ftphelper usually takes care of all this. You only need port 21 usually and the helper will do the rest.
-
The ftphelper usually takes care of all this. You only need port 21 usually and the helper will do the rest.
but what about multihomed multi-WAN setups? active ftp works only with ftp helper (similar to conntrack_ftp from iptables or not?)
recently i configured my pfsense to serve dual-WAN setup. wan interface works with htp-helper and i disabled ftp helper for opt1 interface and mapped a large amount of tcp ports to the server and it works. server is configured to act with the OPT1 public IP in headers, so ftp-helper on wan interface still can work well, and connections coming from OPT1 are served too. but what to do to work with the third wan connection?
-
FAQ. Multiwan and FTP do not work.
This has been mentioned hundreds of times on the forum and there is even a faq entry at faq.pfsense.com
-
Dual-WAN and ftp works well!!!!
but one and only bug i see is that when somebody connects to my server from WAN (where still work ftp-helper) in my server logs i see only my pfsense lan IP, not ip address of the user from outside :)
