FTP from LAN to highport FTP server on WAN
-
Hello guys,
I finally managed to upgrade from 1.2 version of pfsense to 2.0. New version is even more impressive then the old one. Great job!
While setting up the 2.0, I decided to tighten my FW rules. So I disabled the default LAN –-allowed-> any rule and instead added rules for the protocols I need e.g. SMTP, IMAP and so on.
Everything works fine but I've encountered some problems with connections from LAN clients to passive FTP servers that listen to non standard ports on the WAN interface. I opened the port to connect, let's assume 30000, so theres a rule:
LanNet allow TCP to any on port 30000
Since we're talking passive mode, the client will receive a port to connect to from the server (data connection). This could be any port >1024 I assume, but it's most of the time limited to the passive range the ftp server is allowed to use. Problem: I don't know the passive port range of the server and therefore can't allow the needed ports only + I don't want to permanently allow connections to all ports >1024.
When the servers listens to the standard ftp port 21, instead of a high port, everything works fine. Is there some connection tracking involved? Is there a way to make it work when connecting to high ports as well? I read the FTP Troubleshooting FAQ and other posts in the forum, but didn't find any proper solution yet.
Help would be greatly appreciated!
Came up with the following solution myself, but it isnt satisfying:
- Connect to ftp from a dedicated LAN client and allow all outgoing traffic from that dedicated client (single host via static IP)
==================
- Well another option would be to allow all outbound connections >1024 for the specific ftp server by IP
But still I think there should be a way to dynamically open the needed ports by looking for the required data ports in the control data stream..
==================
I guess I'll just create an alias with ftp server ip's and connection/data ports and setup a rule accordingly.
-
Are you using ftp helpers?
It might be your solution.
I saw in some posts that you may need to enable helpers on wan and disable on lan.
Take a look at advanced settings.
-
Hello marcelloc,
Thanks for your reply. I can't find the FTP Helper in pfsense v 2.0 at all.
In the advanced tab, there's only TFTP Helper and the "debug.pfftpproxy - Disable the pf ftp proxy handler"-Tunable, but you can't set an interface there.
Am I missing something? As I remeber one used to configure the FTP Helper on the Interface itself. Option is not there anymore..
-
the problem is that ftp is a high random port. >1024 you have to either use the ftp helper, which I cannot find either, or allow more that just port 30000. Before I switched to BSD, Linux had/has a builtin help called conntrack_ftp or something like that. pfSense and BSD has been secure enough I have not had to deal with out port restriction yet. Course I am also running snort to catch anything also.
-
The FTP helper as is today does not fix ftp communication outside servers not listening on port 21
-
I think he means connecting on port 21 and using passive ftp. This is what the ftp help did in the past for both server and client behind pfsense. does the ftp help just not exist any longer? Cause I cannot find it either way.
-
@podilarius: I know how passive ftp works. I'm connecting from a LAN side client to a WAN side passive ftp server that is listening for incoming connections on a HIGH port >1024 – NOT port 21. For this to work I'd have to open the port on which I connect to the server (e.g. 30000) + all ports >1024 for PASV data transfer on the LAN interface and thats exactly what I DON'T want to do. As mentioned FTP Helper would help with this, but since it doesnt track FTP connections on high ports (as Ermal mentioned) it's useless in this scenario.
@ermal: thanks for clearing this up. Already thought that FTP helper would only work when using port 21.
===
My solution for now: Connecting to the FTP through a socks proxy which isn't restricted as much as the LAN side clients.
===
Please let me know if there's any "better" way to do this.