FTP problem
-
Hi all,
I'm using 2.0-BETA5 (amd64) built on Sun Jan 16 17:14:50 EST 2011.
I've a FTP server (vsftpd) running behind Pfsense. But i really can't connect to the FTP, timing out after LIST.
The PASV command does not success.After some search, i have found that an ftp helper is runing, but not correctly. Is there a way to disable it in Pfsense 2 ?
Thanks,
BLaise
-
Use the search before posting! Even on the first page of this forum is a topic related to your problem…
...ah. And welcome to the forum ;)
-
Use the search before posting! Even on the first page of this forum is a topic related to your problem…
...ah. And welcome to the forum ;)
I've read this topic (and some other) but i can't see any solution. There is no way to unload the helper from kernel ?
-
There is no solution as you can see in that thread. Just use a better method like FTPS or SFTP. Better and more secure…
-
Try latest snapshot.
It should work correctly now and there is a knob for disabling it if you want. -
Question from a complete noob: With only ftps what do when I need to get a port from ftp://ftp.freebsd.org?
-
if I understand you question correctly, you need to use a client that supports FTPS like FileZilla.
Roy…
-
@ermal:
Try latest snapshot.
It should work correctly now and there is a knob for disabling it if you want.ermal, have not been able to locate the "knob". can you please explain?
Roy…
-
debug.pfftpproxy just set it to 1 and it will disable it.
You might need to enter it under system->tunables if you do not have it in there.
-
thanks ermal! I'll give it a try.
Roy…
-
nanobsd - Wed Jan 19 12:45:14 - net5501:
passive FTP client –-- {NAT - m0n0wall} --- (internet) --- {pfSense - 1:1 NAT} --- {FTP Server} => Works!
passive FTPS client --- {NAT - m0n0wall} --- (internet) --- {pfSense - 1:1 NAT} --- {FTP Server} => Works! (only tested implicit mode)pfSense side Notes:
1. 1:1 NAT, port 21 pass rule to FTP Server
2. 1:1 NAT, passive port range pass rule to FTP Server
3. 1:1 NAT, port 990 pass rule to FTP Server
4. debug.pfftpproxy set to 1
5. FTP Server configured to use its public IP for passive connections
6. FileZilla FTP Client.Only did limited testing but with the above configuration I had zero problems!
Thanks ermal!
Roy...
-
Normally you should have not problems even without disabling the ftpproxy.
Did you try with the proxy active? -
ermal,
I still had had ftp problems with "Tue Jan 18 04:33:29" but as I did not see any mention of any new proxy fixes for "Wed Jan 19 12:45:14", I did not test that build before turning off the service. After the next build, I will re-enable it and re-test.
BTW, since it works fine with it off, what advantages is there to running the ftp proxy?
Roy…
-
ermal,
I still had had ftp problems with "Tue Jan 18 04:33:29" but as I did not see any mention of any new proxy fixes for "Wed Jan 19 12:45:14", I did not test that build before turning off the service. After the next build, I will re-enable it and re-test.
BTW, since it works fine with it off, what advantages is there to running the ftp proxy?
Roy…
The point of the proxy is that you do not open up a hole in your firewall with all these high-ports…if you can talk about security with ftp you should at least use that proxy...
-
well that make sense. so with the proxy I don't need any port open to the FTP server or just port 21? also, do I use my FTP server's private or public IP when configuring its passive IP?
Thanks,
Roy…
-
The only thing that should be done is to NAT Port 21tcp to your servers private ip address. The proxy should handle everything else. (also active or passive)
At least I know this function from other firewall products I never used incoming ftp with pfSense. Well, as I've stated before, ftp should be exchanged with a more secure protocol like ssh… -
well I normally only run my ftp server with my passive ports and port 990 open and use implicit FTPS exclusively. so will the ftp-proxy work with FTPS or will I still need to open my passive ports?
Roy…
-
It would not touch at all FTPS.
-
with only port 21 open and today's build - Jan 20 06:00:12 - and "debug.pfftpproxy" set to 0 (I assume that re-enables it), filezilla client returns:
Error: Connection timed out
Error: Failed to retrieve directory listingRoy…