Internal FTP WOES pfsense 2.0RC3



  • A little setup back ground we have two firewalls a perimeter and an internal firewall. our DMZ sits with the perimeter firewall.
    Recently upgraded to 2.0RC3 now our FTP is having trouble. Its not a terrible big deal since the service is legacy trying to be removed, but users needed to dl their data to do this.  Now they cant.

    Note external access has been shutoff and external dns entries removed, such that only internal traffic to and from the ftp server allowed

    access on the dmz subnet to the ftp server is fine

    testing from lan on the internal firewall .
    telnet to ftp is fine
    ftp ftp.co.com
    connects and prompts for username pw
    connects fine

    [root@mrburns ~]# nslookup ftp.co.com
    Server:        dns-server
    Address:        192.168.6.19#53

    Name:  ftp.co.com
    Address: 192.168.7.84

    Note: look at the passive line and then the address where is it pulling this
    address, its one of our old external ISP addresses.

    ftp> ls
    227 Entering Passive Mode (174,79,191,171,78,34)
    ftp: connect: Connection refused

    "[root@mrburns ~]# ftp 192.168.7.84
    Connected to 192.168.7.84.
    220–-------- Welcome to Pure-FTPd [privsep] [TLS] –--------
    220-You are user number 1 of 6 allowed.
    220-<<
    220-%                        UNAUTHORIZED ACCESS IS PROHIBITED
    220-This system is for the use of authorized users only.
    220-Company resources, including computers, communications equipment, and
    associated devices (e.g., internet, electronic mail, voice mail, copiers,
    facsimile machines) are to be used for company business purposes.
    220-Personal use of Company resources is permitted if it is incidental to
    the employee's workday, does not occur during chargeable work-time, is of
    limited and reasonable duration and frequency, and does not interfere with
    or adversely affect the user's or another employee's job performance or
    other operational requirements.
    220-Use of these systems constitutes acknowledgement and consent to company
    monitoring of these systems.
    220-Unauthorized release of classified or controlled unclassified
    information while using these systems, such as release of information
    requiring an export license, constitutes a security violation.
    220-Employees must report security violations and improper use of Company
    resources to the Security Department.
    220->>
    220-Local time is now 13:04. Server port: 21.
    220-This is a private system - No anonymous login
    220 You will be disconnected after 3 minutes of inactivity.
    500 This security scheme is not implemented
    500 This security scheme is not implemented
    KERBEROS_V4 rejected as an authentication type
    Name (192.168.7.84:root): user
    331 User jpsd OK. Password required
    Password:
    230-Your bandwidth usage is restricted
    230-User user has group access to:  1001
    230 OK. Current directory is /
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> ls
    227 Entering Passive Mode (174,79,191,171,78,44)
    ftp: connect: Connection refused
    "



  • Is traffic being rejected on the perimeter or the internal firewall?


Locked