Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Active FTP Egress Filtering Issues in 2.2?

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    3 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      asayler
      last edited by

      I'm not 100% sure whetehr this is a 2.2 issue, or me just havign a bad config. Feel free to direct me elsewhere if teh lattrer…

      I'm trying to do egress filtering on all of my LAN to Internet traffic (e.g. I removed the default Allow All to Any LAN rule). I've been able to make this work by adding explicit LAN egress rules for all the standard protocols (e.g. SSH, HTTP. HTTPS, DNS, etc). I'm not having any luck with FTP, however. I've setup a rule to allow all TCP traffic using port 21 (FTP) on the LAN Interface from the LAN Network to Any destination. Yet I am still unable to access any FTP sites via Google Chrome (e.g. ftp://ftp.netscape.com/). I haven't tried with a dedicated FTP client yet, or tested active vs passive FTP (I assume it's trying to use active right now).

      It's my understanding the pfsense includes the PF FTP proxy to deal with the thorny issue (e.g. opening up the negotiated random return ports, etc) of allowing an outgoing FTP connection. Is it possible there's an issue with this in 2.2? Or have I just misconfigured something?

      Has anyone had luck allowing LAN->Internet Active FTP traffic in 2.2 when using LAN egress filtering?

      I'm testing with:

      2.2-ALPHA (amd64)
      built on Fri Jul 04 18:41:44 CDT 2014

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The proxy would normally take care of the high ports for active mode, but I don't think it does the same for passive mode. My memory is a bit fuzzy on that one, but I seem to recall having to pass out connections to high ports before.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          asayler
          last edited by

          Yeah, I wasn't getting it to work in either active or passive mode. Disabling egress filtering allows both to work fine. Unfortunately, I don't have a 2.1 install handy to try to replicate the issue there to see if it's just me or if it's 2.2. But my initial impressions is that the ftp proxy seems to not be working correctly in 2.2.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.