(RESOLVED) NAT rewrites active FTP PORT command incorrectly



  • I did a search for Active FTP before posting this.  Didn't see this particular issue, hence the post.
    Running recent builds (2010-05-16 & 17)

    I've got an FTP server behind pfSense 2.0 with a private IP.  Traffic is routed to it via port forwarding. PASV connections work great.  Active connections work great until the client issues the PORT command.  Packet captures show that the client is correctly issuing the PORT command with the clients IP address, but when it comes out of the firewall and hits the server, the PORT command has been rewritten to show pfSens's public IP address instead.

    I've tried this with 2 different pfsense boxes, 4 different FTP server boxes.  I've tried using non standard ports, but the PORT command still get's re-written.

    Any chance this something that can be tracked down and corrected quickly?



  • Ok - Just tested this from a FreeBSD FTP client.  The EPRT command used by FreeBSD also gets re-written by the receiving firewall.

    Also verified that telneting from a FreeBSD client, I can reproduce the problem typing commands by hand.  I'm guessing that whatever is parsing the FTP commands is ignoring them if they are followed by a windows crlf.



  • Can you try with latest snapshots?
    Please upload your packet captures so i can see them. Actually it should work find even with active ftp for rdr case!



  • Just reproduced this with 2010-05-25 snap.

    Did a capture on the both the public and private interfaces at the same time.  Although the FTP username and pass are exposed in the capture, it's a dummy server with a temporary account.

    The .txt files are tcpdump captures.  Any chance the upload filters on the system could be modified to allow xml and pcap files?

    The "clean" install on this box was 2010-05-17.

    nat.txt
    pub.txt



  • I renamed to pcap but they are truncated!



  • The binary format must not have been preserved when I posted them.  Nice security measure.  Bad for posting diagnostic files.

    I've sent you a PM with FTP access to a server that holds the files.  If there's a better way to get them to you, please let me know.



  • Can you try snapshots later than this post?



  • Sure - I'll see about grabbing one later tonight or tomorrow and setting it up.

    Would you like the packet captures again if the problem still exists?



  • It appears that you have resolved this issue.  Thank you very much!

    Both the PORT and EPRT commands come through correctly.

    I hadn't realized this previously, but I also see that clients behind pfSense using ACTIVE FTP are able to connect correctly without explicit firewall rules.  Nice work!

    I've tested both an upgrade (manual) and a clean install with images from the 2010-06-03-2033 time frame.


Log in to reply