I'm fried - Need some VSFTP help



  • I know RTFM but for some reason it's not sticking or I'm doing something out of order or just have my head firmly planted…

    I'm running pf 1.2.3 with a single WAN connection (multiple virtual IPs), a DMZ (opt1) and a LAN.

    VSFTPD is running on a CentOS box 5.6 64bit.  I'm running with SSL and forcing both login and data transfers.

    From a CentOS box in the DMZ using lftp I can connect.
    From a WinXP box on the LAN, using CoreFTP or Filezilla I can connect, but ONLY after I disable the FTP Helper on the DMZ and LAN.  Until I did that, the client would get connected, but then the TLS session creation would space out and get lost somewhere along the way.

    Feeling successful, I added a virtual IP added WAN rules to let it through to the DMZ address for 21 and for the PASV port range I've defined and I get nowhere.  I disabled the FTP Helper on WAN and didn't get any further.  I tried as per the pfSense FTP instructions and switched over to a CARP address, turned off SSL and was able to get connected.  Turned SSL back on and no go.

    I've since decided to roll back everything and now I'm stuck waiting for an opportunity to reboot the firewall since I deleted the CARP address and wasn't aware it had to bounce.  So while I'm waiting to reboot (which won't be until first thing Monday) I figured I drop a line here and try to get someone to explain it to me like I'm an f'ing moron: Speak slowly, use small words and don't assume for a second that I know what you're talking about.  I've gotten so beat up by this I've developed a limp.

    For point of reference let's say these are my IPs:

    Public IP for FTP: 12.34.56.78
    DMZ FTP IP: 192.168.140.50 (so gateway for DMZ is 192.168.140.1)

    Please?  ???



  • OK so finally figured out WTF my problem was.

    Disabling the FTP helper and simply making a port forward with rules (including passive) got me working.

    Long story short, the issue was a M$ ISA server that corporate uses as their firewall which was screwing up my TLS session with its own FTP rules (local routing).


Locked