Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RC3 and FTP

    Scheduled Pinned Locked Moved General pfSense Questions
    27 Posts 10 Posters 13.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan
      last edited by

      Shoot…

      In my last post I was writing an answer based/concerning incoming FTP.
      In your case, all is already up to handle outgoing ftp.
      This must be a firewall question (or related) because 'from the box' FTP just works great - I use RC3e.
      Using two internal interfaces this gives me:

      ps auwx | grep pftpx | grep -v grep

      proxy    612  0.0  0.1  656  424  ??  Ss  Fri12PM  0:00.47 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1
      proxy  29739  0.0  0.1  656  532  ??  Ss    5:17PM  0:00.00 /usr/local/sbin/pftpx -c 8022 -g 8021 192.168.2.1

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        To see some more info in the syslog, I killed all pftpx process, and restared them by hand like this:

        killall pftpx

        /usr/local/sbin/pftpx -D 7 -c 8021 -g 8021 192.168.1.1

        /usr/local/sbin/pftpx -D 7 -c 8022 -g 8021 192.168.2.1

        Remember, I have two interfaces.

        I start - and stopped - a FTP session from a LAN client (192.168.1.15), the  syslog output was then:

        …
        Oct 7 17:28:34 pftpx[30327]: #1 ending session
        Oct 7 17:28:34 pftpx[30327]: #1 server close
        #Oct 7 17:23:34 pftpx[30327]: #1 passive: client to server port 36285 via port 57466
        Oct 7 17:23:27 pftpx[30327]: #1 FTP session 1/100 started: client 192.168.1.15 to server 64.193.213.135 via proxy 82.128.125.169
        Oct 7 17:23:09 pftpx[30331]: listening on 127.0.0.1 port 8022
        Oct 7 17:23:09 pftpx[30331]: listening on 127.0.0.1 port 8022
        Oct 7 17:23:00 pftpx[30327]: listening on 127.0.0.1 port 8021
        Oct 7 17:23:00 pftpx[30327]: listening on 127.0.0.1 port 8021
        Oct 7 17:22:48 pftpx[29739]: pftpx exiting on signal 15
        Oct 7 17:22:48 pftpx[29739]: pftpx exiting on signal 15
        …

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • V
          Voami
          last edited by

          @Gertjan:

          To see some more info in the syslog, I killed all pftpx process, and restared them by hand…
          ...
          I start - and stopped - a FTP session from a LAN client (192.168.1.15)

          I did the same:

          • Killed all pftpx instantiations

          • Restarted them with the -D 7 argument

          • Tried an ftp connection. Result:

          • FTP connection fails with

          and there was no indication in the syslog that pftpx was grabbing it.

          I located man pages and source code for pftpx, and the problem that I seem to be finding is a lack of an rdr rule to redirect traffic on my primary LAN to the pftpx daemon:

          nat-anchor "pftpx/" all
          nat-anchor "natearly/          " all
          nat-anchor "natrules/" all
          nat on WAN inet from lan.1.ip.addr/24 to any -> (sis3) round-robin
          nat on WAN inet from lan.2.ip.addr/24 to any -> (sis3) round-robin
          nat on WAN inet from lan.3.ip.addr to any -> (sis3) round-robin
          rdr-anchor "pftpx/          " all
          rdr-anchor "slb" all
          no rdr on  LAN_3 proto tcp from any to <vpns>port = ftp
          rdr on LAN_3 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8023
          no rdr on  LAN_2 proto tcp from any to <vpns>port = ftp
          rdr on LAN_2 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8024
                –---   
          <bunch of="" inbound="" rdr="" rules="" on="" wan="" interfaces="">------
          rdr-anchor "miniupnpd" all</bunch></vpns></vpns>

          1 Reply Last reply Reply Quote 0
          • V
            Voami
            last edited by

            Apologies for the previous incomplete post.

            @Gertjan:

            To see some more info in the syslog, I killed all pftpx process, and restared them by hand…
            ...
            I start - and stopped - a FTP session from a LAN client (192.168.1.15)

            I did the same:

            • Killed all pftpx instantiations

            • Restarted them with the -D 7 argument

            • Tried an ftp connection. Result:

              • FTP connects and logs in, but an "ls" fails with  "500 Illegal PORT command rejected"

              • No indication in syslogs of any acivity with pftpx

            ==> pftpx is not getting connections from the primary LAN

            I then located man pages and source code for pftpx, and understood that pf needs a port redirect rule for each internal network to redirect the ftp traffic to the proxy listening on port 802x.

            ==> Does this rule exists?

            I find an rdr rule for two of my LANs, but none for my primary LAN (comments added are mine):

            #pfctl -s nat
            nat-anchor "pftpx/" all
            nat-anchor "natearly/            " all
            nat-anchor "natrules/" all
            nat on WAN inet from lan.1.ip.addr/24 to any -> (sis3) round-robin
            nat on WAN inet from lan.2.ip.addr/24 to any -> (sis3) round-robin
            nat on WAN inet from lan.3.ip.addr to any -> (sis3) round-robin
            rdr-anchor "pftpx/            " all
            rdr-anchor "slb" all
            no rdr on  LAN_3 proto tcp from any to <vpns>port = ftp
            rdr on LAN_3 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8023    # for one LAN
            no rdr on  LAN_2 proto tcp from any to <vpns>port = ftp
            rdr on LAN_2 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8024    # for another LAN
                  –---   
            <bunch of="" inbound="" rdr="" rules="" on="" wan="" interfaces="">------
            rdr-anchor "miniupnpd" all

            What I must discover
            –------------------

            • Why do I not have a NAT rule to provide transparent proxying on the primary LAN, when it works on the others?

              • Could it be an artifact of once being configured with "disable userland proxy"?

            • Any other suggestions on how to make this happen?</bunch></vpns></vpns>

            1 Reply Last reply Reply Quote 0
            • C
              cauly
              last edited by

              doesn't work for mi  >:(

              I have pfsense 1.0.1 and e ftp server listening in the port 2121 in the ip x.x.x.3

              i try with Disable the userland FTP-Proxy application  and enable, in wan and lan interfaces; but nothing happens
              I create the nat forwardi and the rule (automatically)

              1 Reply Last reply Reply Quote 0
              • O
                OrCAD
                last edited by

                with my dual wan work only port 21 Active mode… if try to download or dir change with passive mode reply is very long time then disconnection. . . .

                1 Reply Last reply Reply Quote 0
                • S
                  sullrich
                  last edited by

                  RC3 is quite old.  I am locking this thread to avoid confusion.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.