Ftp passiv mode problem with FW Rules
-
I think you might be mixing up terminology, which is why I thought you were talking about a local FTP server. According to an FTP client I use, passive mode would be the mode where the FTP server is the one listening for the data connections and active mode would be the mode where the FTP client is the one listening for the data connections. Most public FTP servers would be configured to be able to work with passive mode, since it is easier for them to do that than to give instructions to everyone for configuring their router or firewall.
In either case, depending on the program you use, for a client there may be an option to configure which ports it uses for active mode, and for a server there may be an option to configure which ports it uses for passive mode. The side that will be listening for the data connection is the one that determines which port number to use for the connection.
-edit-
Rereading your post, I realized you might be trying to restrict outbound connections to only certain allowed ports. Is this correct? If that is the case, you probably need to have something proxy the FTP connections and force active mode instead of passive.
-
You're right, i restrict all outbound port except 80,21,20,443,22,1723 (udp or tcp). I know that in passive mode, server ask client to connect to a random port from 1024 to 65535, except when the administrator defined manually the ports, but how to know that??
Before i used pftpx proxy for outbound connection but in 2.0 pftpx does not exist no more. Then I suppose i don't have any other solution keeping ports 1024 to 65535 every time open.
regards -
Try out newer snapshots than this post it should be fixed.
-
With the latest snapshot "2.0-BETA1 built on Sun Apr 4 08:35:10 EDT 2010" outbound (from LAN) passive mode ftp seems to be broken, active mode works fine.
It seems that the ftp client is connecting to the WAN address of pfSense instead of the real address of the FTP server for the data connection when passive mode is used, anyone else notice this?
I'm not restricting outbound connections on LAN interface btw.
-
I'm seeing this as well with pfSense-2.0-BETA1-20100406-1034, kpa.
-
yep - seeing this on Apr 5 20:35:18 build with pasv to external 3rd party ftp servers
seperately
active does not work for me either - not sure if its because of double nat [ lan->pfsnse->adsl_router(s) ] or just allowing huge fw inbound ports on wan[ from 8.1 updater run on 8.0 box - still says 8.0 ??? is this right ??? ]
-
I've been running an old alpha for at least 6 months. When was the last build that worked for you guys?
I wonder if this change is implicit:
http://redmine.pfsense.org/repositories/revision/3/53e2d23469c707bf7d66ad680a0b1c422f2e6548
-
I think you probably meant complicit, not implicit :)
-
Perhaps but in either case downgrading to 2.0-BETA1-20100331-1228 looks to have resolved this issue for me.
Does anyone care to file a bug report?
-
There is something broken in the FTP proxy since changes last week. Ermal is on vacation this week, he'll fix when he's back next week.
-
On snap 20100409-1808 whenever I try to start an FTP transaction I get a panic. For the record, it may be a conflict with OpenVPN since I'm shunting all data down an OPVN tunnel rather than the WAN…
-
Try newer snaps
-
Seems to be working again on "2.0-BETA1 built on Tue Apr 13 19:26:36 EDT 2010" snapshot, tested both active and passive mode. I didn't test with restrictive outbound rules on LAN.
Thanks Ermal :)
-
Hi guys, I have always problems with the passive, can I ask for some HowTo to pf2.0 or advice set it properly
EDITED
OK it's working without any rules in FW … SNAP from 13th
-
I still have a problem on "2.0-BETA1 built on Wed Apr 14 19:40:01 EDT 2010". Whenever an FTP transaction starts, it's OpenVPN that crashes.
This pf is setup to route through one of 7 OVPN instances…
-
can you please do a 'bt' at that prompt.
Please send me your pf.conf ruleset(mask any addresses that you need to). -
if i understand correctly, passive ftp should now work out of the box.
In my case, it doesn't.
I tried downgrading to 04/13 snap but same thing. Active ftp works, but passive doesn't.Any hints/ideas to what i might be setting wrong?
-
passive ftp works on my alix running 1st may nanobsd snaps
-
Snap from May 1 works.
Thank god! (On my network i'm heavily dependent on ftp)Thanks for the info xbipin