Pftpx for routed firewall applications



  • Is anyone successfully using pftpx on a 1.0.1 or 1.2RC3 box in an environment with NO NAT to intelligently allow ftp through? I have a nearly full /24 of FTP servers all on public IP space. At the moment I have 21 and 1024:65535 open to these servers. But some of them have other services open on ports in the 1024:65535 range.

    I have found very little in the way of how-to's and man pages on doing this. the pftpx manpage makes this sound easy, but if it is easy why is the functionality not included in pfsense?
    am I just a shellcmd away from having this running? or is this planned in an upcoming release?  1.3 maybe?

    Thoughts?



  • ok,
    This was pretty easy. Here is how I did this on 1.0.1

    1.) disable ftp-helper on all interfaces.
    2.) start pftpx with no flags..  (i.e  # pftpx  )  or start it with the shell command window in the diagnostics menu
    3.) create a redirect rule redirecting all tcp traffic to port 21 (ftp in the port dropdown) to 127.0.0.1 port 8021.
            (Select the check box to auto create the firewall rules)

    This took care of it. Now I can make connections to any ftp server that I have an "allow ftp" rule for. Both passive and active.
    Much cleaner than having to open a lot of high ports to allow passive.

    This would be a great option to add into 1.2 final. It is VERY simple to enable and could probably easily be set up as an option to the ftp helper setting that already exists.



  • This has been working well for 2 days now. LOTS of connections going through it. (100s of thousands) 
    I think I am missing something. This is a fairly common need, but I haven't been able to find any other posts about people setting up this functionality.
    Why isn't this in the default install? Am I missing something here? Did I just break something badly that I will regret on Monday?



  • Huuuuuuuuuge thanks

    It's been a week now that i'm messing with pfSense in front of several FTP servers and all connections were dropped. I've LAN and WAN bridged, no nat (public addresses everywhere)

    your setup works perfect

    just a little question : how  do you start pftpx on pfSense reboot ?



  • Regis,
    I added an RC script. I would prefer to add this into the config.xml file, but every time I save the config, The <shellcmd>I add gets overwritten. I can dig it up for you in the morning if that would help.

    I have had this up and running since the day I started this thread.  I currently have over 20,000 concurrent FTP sessions going through it.  It has been very stable. Pftpx is much nicer than ftp-proxy.</shellcmd>



  • thanks for your answer Vantage

    yes i would be interested in seeing how you manage pftpx start


Log in to reply