Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up FTP

    Scheduled Pinned Locked Moved Firewalling
    12 Posts 3 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hmcmahan
      last edited by

      I realize this is probably been covered but during my search I never found the actual step by step process for setting up FTP rules thru a pfsense firewall.
      Let me start: I have set up a ftp server on a Windows 2008 r2 server that works fine on my lan.
      I am running pfsense 1.2.3. (I know that is one of my problems, there is a newer version and I should upgrade. I will think about that tomorrow once I get people off my back about the problem today) I have created a rule allowing port 21 and I have created a NAT to my inside machine. I can login and connect but I cannot do anything else. If I try to browse the folder or anything I get a message that an error occurred opening that folder on the FTP server. Make sure you have permission to access that folder. Details: the connection with the server was reset..
      It is probably something I am totally overlooking but if someone has a step by step that any semi-literate person could follow would be a great help.

      Thanks in advance.
      HM

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        And are you doing a active or passive connection to your ftp server from outside?

        You really need to understand the basics of ftp if you want to get it to work through a natting firewall

        Here is a great write up on active vs passive ftp

        http://slacksite.com/other/ftp.html

        21 is just the control channel, data like a dir listing actual transfer of a file would be using the data channel..  read the above link to understand how the data channel is different between a active or passive connection.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • H
          hmcmahan
          last edited by

          It should only be passive as this is just going to be a file repository so as to move files from point a to point b.
          Everything I working fine behind the firewall and ordinarily I say done but we have some people who say they need access from the outside to move graphics and data.
          I have created a rule opening ports 20 and 21 but when I try to connect from the outside, I keep getting connection reset error.
          Any suggestions would be greatly appreciated.
          Hal

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            You DON"T need a 20 rule – did you even read the article?

            And are you connecting active or passive from the outside - what client are you using, this determines if your opening up a active or passive data channel.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • G
              gderf
              last edited by

              I know you want FTP, but as you are discovering, this protocol has problems with NAT. If both the server and client are behind a NAT then it may never work without a helper proxy somewhere.

              All these problems can be avoided with SFTP which requires only one TCP port and is immune to problems with NAT. It just works. It's also secure.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                ^ agree I would never open up ftp into my network.  Unless it was just pure anonymous read access to grab files I wanted the public to have.  If I wanted security way to access files then I would use sftp.

                But on the other hand opening up ftp is not all that difficult..  You normally should only have to forward 21 and the helper in pfsense should work for you.  Literally it should take you 1 click to do the port forward and you should be good.

                But sure with nat on both ends, sometimes multiple nats with users at their homes that don't know any better, the protocol can have issues - especially when the person trying to host it doesn't really understand how it works in the first place ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • G
                  gderf
                  last edited by

                  Freely available SSH server and client software (that also handle SFTP) have effectively deprecated FTP, and solve any and all NAT difficulties commonly encountered with FTP. I can't think of any reasonable excuse not to run SSH/SFTP.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    While I agree - if the purpose of the server is to distribute files to anon users, then ssh would not be a good choice.

                    But sure if your going to require auth, then I can see no reason not to use sftp over ftp.  It does make getting through nats much easier ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • G
                      gderf
                      last edited by

                      Users would have to be told somehow that what they are looking for is on some FTP server with anonymous access.

                      There is no reason they could not be told that what they are looking for is on an SFTP server with the username/password specified in the same message.

                      Also, many SSH implementations allow for pre-login banner customization where the login credentials for anonymous SFTP access can be provided. See:

                      http://www.cyberciti.biz/tips/change-openssh-sshd-server-login-banner.html

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        ^ while true, would require the user that wants to access said file to have sftp client.  If using ftp to distribute files, all that is required is simple url, that any browser can access without the user doing or knowing anything or having to put in any credentials.

                        and could be just the simple link in a website, user would really not even know if the file was being accessed via ftp or http, etc.

                        I hear you, and I too agree ftp is very near the end of usefulness, if i needed to distribute anon files I would do via http most likely vs using ftp.  If I needed to control access, then I would use sftp or http site requiring auth to make it easier for users that don't have sftp client or to be honest are just your typical stupid users..  There is no possible way you could get my wife to figure out how to access a sftp site on a machine without client..  Just not going to happen no matter how easy you think you make it with giving out credentials in a banner - for starters she would have to see the banner with the credentials ;)  How is she going to see that in a default windows os?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • G
                          gderf
                          last edited by

                          If everything everywhere was restricted to be compatible with the capabilities of the least common denominator user there would be no progress or advancement in anything because none would be needed.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            I hear ya ;)  You could make the argument that people too stupid to use sftp don't need my file in the first place..  Guess it depends on the makeup of your target audience.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.