FTP problem



  • Hi all,

    I'm using 2.0-BETA5 (amd64) built on Sun Jan 16 17:14:50 EST 2011.
    I've a FTP server (vsftpd) running behind Pfsense. But i really can't connect to the FTP, timing out after LIST.
    The PASV command does not success.

    After some search, i have found that an ftp helper is runing, but not correctly. Is there a way to disable it in Pfsense 2 ?

    Thanks,

    BLaise



  • Use the search before posting! Even on the first page of this forum is a topic related to your problem…

    ...ah. And welcome to the forum ;)



  • @jlepthien:

    Use the search before posting! Even on the first page of this forum is a topic related to your problem…

    ...ah. And welcome to the forum ;)

    I've read this topic (and some other) but i can't see any solution. There is no way to unload the helper from kernel ?



  • There is no solution as you can see in that thread. Just use a better method like FTPS or SFTP. Better and more secure…



  • Try latest snapshot.
    It should work correctly now and there is a knob for disabling it if you want.



  • Question from a complete noob: With only ftps what do when I need to get a port from ftp://ftp.freebsd.org?



  • if I understand you question correctly, you need to use a client that supports FTPS like FileZilla.

    Roy…



  • @ermal:

    Try latest snapshot.
    It should work correctly now and there is a knob for disabling it if you want.

    ermal, have not been able to locate the "knob".  can you please explain?

    Roy…



  • debug.pfftpproxy just set it to 1 and it will disable it.

    You might need to enter it under system->tunables if you do not have it in there.



  • thanks ermal!  I'll give it a try.

    Roy…



  • nanobsd - Wed Jan 19 12:45:14 - net5501:

    passive FTP client –-- {NAT - m0n0wall} --- (internet) --- {pfSense - 1:1 NAT} --- {FTP Server} => Works!
    passive FTPS client --- {NAT - m0n0wall} --- (internet) --- {pfSense - 1:1 NAT} --- {FTP Server} => Works!  (only tested implicit mode)

    pfSense side Notes:

    1.  1:1 NAT, port 21 pass rule to FTP Server
    2.  1:1 NAT, passive port range pass rule to FTP Server
    3.  1:1 NAT, port 990 pass rule to FTP Server
    4.  debug.pfftpproxy set to 1
    5.  FTP Server configured to use its public IP for passive connections
    6.  FileZilla FTP Client.

    Only did limited testing but with the above configuration I had zero problems!

    Thanks ermal!

    Roy...



  • Normally you should have not problems even without disabling the ftpproxy.
    Did you try with the proxy active?



  • ermal,

    I still had had ftp problems with "Tue Jan 18 04:33:29" but as I did not see any mention of any new proxy fixes for "Wed Jan 19 12:45:14",  I did not test that build before turning off the service.  After the next build, I will re-enable it and re-test.

    BTW, since it works fine with it off, what advantages is there to running the ftp proxy?

    Roy…



  • @rpsmith:

    ermal,

    I still had had ftp problems with "Tue Jan 18 04:33:29" but as I did not see any mention of any new proxy fixes for "Wed Jan 19 12:45:14",  I did not test that build before turning off the service.  After the next build, I will re-enable it and re-test.

    BTW, since it works fine with it off, what advantages is there to running the ftp proxy?

    Roy…

    The point of the proxy is that you do not open up a hole in your firewall with all these high-ports…if you can talk about security with ftp you should at least use that proxy...



  • well that make sense.  so with the proxy I don't need any port open to the FTP server or just port 21?  also, do I use my FTP server's private or public IP when configuring its passive IP?

    Thanks,

    Roy…



  • The only thing that should be done is to NAT Port 21tcp to your servers private ip address. The proxy should handle everything else. (also active or passive)
    At least I know this function from other firewall products I never used incoming ftp with pfSense. Well, as I've stated before, ftp should be exchanged with a more secure protocol like ssh…



  • well I normally only run my ftp server with my passive ports and port 990 open and use implicit FTPS exclusively.  so will the ftp-proxy work with FTPS or will I still need to open my passive ports?

    Roy…



  • It would not touch at all FTPS.



  • with only port 21 open and today's build - Jan 20 06:00:12 - and "debug.pfftpproxy" set to 0 (I assume that re-enables it), filezilla client returns:

    Error: Connection timed out
    Error: Failed to retrieve directory listing

    Roy…


Locked