RC3 and FTP
-
Shoot…
In my last post I was writing an answer based/concerning incoming FTP.
In your case, all is already up to handle outgoing ftp.
This must be a firewall question (or related) because 'from the box' FTP just works great - I use RC3e.
Using two internal interfaces this gives me:ps auwx | grep pftpx | grep -v grep
proxy 612 0.0 0.1 656 424 ?? Ss Fri12PM 0:00.47 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1
proxy 29739 0.0 0.1 656 532 ?? Ss 5:17PM 0:00.00 /usr/local/sbin/pftpx -c 8022 -g 8021 192.168.2.1 -
To see some more info in the syslog, I killed all pftpx process, and restared them by hand like this:
killall pftpx
/usr/local/sbin/pftpx -D 7 -c 8021 -g 8021 192.168.1.1
/usr/local/sbin/pftpx -D 7 -c 8022 -g 8021 192.168.2.1
Remember, I have two interfaces.
I start - and stopped - a FTP session from a LAN client (192.168.1.15), the syslog output was then:
…
Oct 7 17:28:34 pftpx[30327]: #1 ending session
Oct 7 17:28:34 pftpx[30327]: #1 server close
#Oct 7 17:23:34 pftpx[30327]: #1 passive: client to server port 36285 via port 57466
Oct 7 17:23:27 pftpx[30327]: #1 FTP session 1/100 started: client 192.168.1.15 to server 64.193.213.135 via proxy 82.128.125.169
Oct 7 17:23:09 pftpx[30331]: listening on 127.0.0.1 port 8022
Oct 7 17:23:09 pftpx[30331]: listening on 127.0.0.1 port 8022
Oct 7 17:23:00 pftpx[30327]: listening on 127.0.0.1 port 8021
Oct 7 17:23:00 pftpx[30327]: listening on 127.0.0.1 port 8021
Oct 7 17:22:48 pftpx[29739]: pftpx exiting on signal 15
Oct 7 17:22:48 pftpx[29739]: pftpx exiting on signal 15
… -
To see some more info in the syslog, I killed all pftpx process, and restared them by hand…
...
I start - and stopped - a FTP session from a LAN client (192.168.1.15)I did the same:
-
Killed all pftpx instantiations
-
Restarted them with the -D 7 argument
-
Tried an ftp connection. Result:
-
FTP connection fails with
and there was no indication in the syslog that pftpx was grabbing it.
I located man pages and source code for pftpx, and the problem that I seem to be finding is a lack of an rdr rule to redirect traffic on my primary LAN to the pftpx daemon:
nat-anchor "pftpx/" all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on WAN inet from lan.1.ip.addr/24 to any -> (sis3) round-robin
nat on WAN inet from lan.2.ip.addr/24 to any -> (sis3) round-robin
nat on WAN inet from lan.3.ip.addr to any -> (sis3) round-robin
rdr-anchor "pftpx/" all
rdr-anchor "slb" all
no rdr on LAN_3 proto tcp from any to <vpns>port = ftp
rdr on LAN_3 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8023
no rdr on LAN_2 proto tcp from any to <vpns>port = ftp
rdr on LAN_2 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8024
–---
<bunch of="" inbound="" rdr="" rules="" on="" wan="" interfaces="">------
rdr-anchor "miniupnpd" all</bunch></vpns></vpns> -
-
Apologies for the previous incomplete post.
To see some more info in the syslog, I killed all pftpx process, and restared them by hand…
...
I start - and stopped - a FTP session from a LAN client (192.168.1.15)I did the same:
-
Killed all pftpx instantiations
-
Restarted them with the -D 7 argument
-
Tried an ftp connection. Result:
-
FTP connects and logs in, but an "ls" fails with "500 Illegal PORT command rejected"
-
No indication in syslogs of any acivity with pftpx
-
==> pftpx is not getting connections from the primary LAN
I then located man pages and source code for pftpx, and understood that pf needs a port redirect rule for each internal network to redirect the ftp traffic to the proxy listening on port 802x.
==> Does this rule exists?
I find an rdr rule for two of my LANs, but none for my primary LAN (comments added are mine):
#pfctl -s nat
nat-anchor "pftpx/" all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on WAN inet from lan.1.ip.addr/24 to any -> (sis3) round-robin
nat on WAN inet from lan.2.ip.addr/24 to any -> (sis3) round-robin
nat on WAN inet from lan.3.ip.addr to any -> (sis3) round-robin
rdr-anchor "pftpx/" all
rdr-anchor "slb" all
no rdr on LAN_3 proto tcp from any to <vpns>port = ftp
rdr on LAN_3 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8023 # for one LAN
no rdr on LAN_2 proto tcp from any to <vpns>port = ftp
rdr on LAN_2 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8024 # for another LAN
–---
<bunch of="" inbound="" rdr="" rules="" on="" wan="" interfaces="">------
rdr-anchor "miniupnpd" allWhat I must discover
–-------------------
Why do I not have a NAT rule to provide transparent proxying on the primary LAN, when it works on the others?
- Could it be an artifact of once being configured with "disable userland proxy"?
-
Any other suggestions on how to make this happen?</bunch></vpns></vpns>
-
-
doesn't work for mi >:(
I have pfsense 1.0.1 and e ftp server listening in the port 2121 in the ip x.x.x.3
i try with Disable the userland FTP-Proxy application and enable, in wan and lan interfaces; but nothing happens
I create the nat forwardi and the rule (automatically) -
with my dual wan work only port 21 Active mode… if try to download or dir change with passive mode reply is very long time then disconnection. . . .
-
RC3 is quite old. I am locking this thread to avoid confusion.