Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ftp passiv mode problem with FW Rules

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    24 Posts 13 Posters 9.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Efonnes
      last edited by

      I think you might be mixing up terminology, which is why I thought you were talking about a local FTP server.  According to an FTP client I use, passive mode would be the mode where the FTP server is the one listening for the data connections and active mode would be the mode where the FTP client is the one listening for the data connections.  Most public FTP servers would be configured to be able to work with passive mode, since it is easier for them to do that than to give instructions to everyone for configuring their router or firewall.

      In either case, depending on the program you use, for a client there may be an option to configure which ports it uses for active mode, and for a server there may be an option to configure which ports it uses for passive mode.  The side that will be listening for the data connection is the one that determines which port number to use for the connection.

      -edit-

      Rereading your post, I realized you might be trying to restrict outbound connections to only certain allowed ports.  Is this correct?  If that is the case, you probably need to have something proxy the FTP connections and force active mode instead of passive.

      1 Reply Last reply Reply Quote 0
      • C
        cipey
        last edited by

        You're right, i restrict all outbound port except 80,21,20,443,22,1723 (udp or tcp). I know that in passive mode, server ask client to connect to a random port from 1024 to 65535, except when the administrator defined manually the ports, but how to know that??
        Before i used pftpx proxy for outbound connection but in 2.0 pftpx does not exist no more. Then I suppose i don't have any other solution keeping ports 1024 to 65535 every time open.
        regards

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          Try out newer snapshots than this post it should be fixed.

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            With the latest snapshot "2.0-BETA1 built on Sun Apr 4 08:35:10 EDT 2010" outbound (from LAN) passive mode ftp seems to be broken, active mode works fine.

            It seems that the ftp client is connecting to the WAN address of pfSense instead of the real address of the FTP server for the data connection when passive mode is used, anyone else notice this?

            I'm not restricting outbound connections on LAN interface btw.

            1 Reply Last reply Reply Quote 0
            • R
              react
              last edited by

              I'm seeing this as well with pfSense-2.0-BETA1-20100406-1034, kpa.

              1 Reply Last reply Reply Quote 0
              • D
                DennisBagley
                last edited by

                yep - seeing this on Apr 5 20:35:18 build with pasv to external 3rd party ftp servers

                seperately
                active does not work for me either - not sure if its because of double nat [ lan->pfsnse->adsl_router(s) ] or just allowing huge fw inbound ports on wan

                [ from 8.1 updater run on 8.0 box - still says 8.0 ??? is this right ??? ]

                1 Reply Last reply Reply Quote 0
                • R
                  react
                  last edited by

                  I've been running an old alpha for at least 6 months. When was the last build that worked for you guys?

                  I wonder if this change is implicit:

                  http://redmine.pfsense.org/repositories/revision/3/53e2d23469c707bf7d66ad680a0b1c422f2e6548

                  1 Reply Last reply Reply Quote 0
                  • D
                    danswartz
                    last edited by

                    I think you probably meant complicit, not implicit :)

                    1 Reply Last reply Reply Quote 0
                    • R
                      react
                      last edited by

                      Perhaps but in either case downgrading to 2.0-BETA1-20100331-1228 looks to have resolved this issue for me.

                      Does anyone care to file a bug report?

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb
                        last edited by

                        There is something broken in the FTP proxy since changes last week. Ermal is on vacation this week, he'll fix when he's back next week.

                        1 Reply Last reply Reply Quote 0
                        • M
                          MrHorizontal
                          last edited by

                          On snap 20100409-1808 whenever I try to start an FTP transaction I get a panic. For the record, it may be a conflict with OpenVPN since I'm shunting all data down an OPVN tunnel rather than the WAN…

                          1 Reply Last reply Reply Quote 0
                          • E
                            eri--
                            last edited by

                            Try newer snaps

                            1 Reply Last reply Reply Quote 0
                            • K
                              kpa
                              last edited by

                              Seems to be working again on "2.0-BETA1 built on Tue Apr 13 19:26:36 EDT 2010" snapshot, tested both active and passive mode. I didn't test with restrictive outbound rules on LAN.

                              Thanks Ermal  :)

                              1 Reply Last reply Reply Quote 0
                              • ?
                                Guest
                                last edited by

                                Hi guys, I have always problems with the passive, can I ask for some HowTo to pf2.0 or advice set it properly

                                EDITED

                                OK it's working without any rules in FW … SNAP from 13th

                                1 Reply Last reply Reply Quote 0
                                • M
                                  MrHorizontal
                                  last edited by

                                  I still have a problem on "2.0-BETA1 built on Wed Apr 14 19:40:01 EDT 2010". Whenever an FTP transaction starts, it's OpenVPN that crashes.

                                  This pf is setup to route through one of 7 OVPN instances…

                                  pf-ftp-ovpn-crash.gif
                                  pf-ftp-ovpn-crash.gif_thumb

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    eri--
                                    last edited by

                                    can you please do a 'bt' at that prompt.
                                    Please send me your pf.conf ruleset(mask any addresses that you need to).

                                    1 Reply Last reply Reply Quote 0
                                    • L
                                      limgad
                                      last edited by

                                      if i understand correctly, passive ftp should now work out of the box.
                                      In my case, it doesn't.
                                      I tried downgrading to 04/13 snap but same thing. Active ftp works, but passive doesn't.

                                      Any hints/ideas to what i might be setting wrong?

                                      1 Reply Last reply Reply Quote 0
                                      • X
                                        xbipin
                                        last edited by

                                        passive ftp works on my alix running 1st may nanobsd snaps

                                        1 Reply Last reply Reply Quote 0
                                        • L
                                          limgad
                                          last edited by

                                          Snap from May 1 works.
                                          Thank god! (On my network i'm heavily dependent on ftp)

                                          Thanks for the info xbipin

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.