Active FTP Egress Filtering Issues in 2.2?



  • I'm not 100% sure whetehr this is a 2.2 issue, or me just havign a bad config. Feel free to direct me elsewhere if teh lattrer…

    I'm trying to do egress filtering on all of my LAN to Internet traffic (e.g. I removed the default Allow All to Any LAN rule). I've been able to make this work by adding explicit LAN egress rules for all the standard protocols (e.g. SSH, HTTP. HTTPS, DNS, etc). I'm not having any luck with FTP, however. I've setup a rule to allow all TCP traffic using port 21 (FTP) on the LAN Interface from the LAN Network to Any destination. Yet I am still unable to access any FTP sites via Google Chrome (e.g. ftp://ftp.netscape.com/). I haven't tried with a dedicated FTP client yet, or tested active vs passive FTP (I assume it's trying to use active right now).

    It's my understanding the pfsense includes the PF FTP proxy to deal with the thorny issue (e.g. opening up the negotiated random return ports, etc) of allowing an outgoing FTP connection. Is it possible there's an issue with this in 2.2? Or have I just misconfigured something?

    Has anyone had luck allowing LAN->Internet Active FTP traffic in 2.2 when using LAN egress filtering?

    I'm testing with:

    2.2-ALPHA (amd64)
    built on Fri Jul 04 18:41:44 CDT 2014


  • Rebel Alliance Developer Netgate

    The proxy would normally take care of the high ports for active mode, but I don't think it does the same for passive mode. My memory is a bit fuzzy on that one, but I seem to recall having to pass out connections to high ports before.



  • Yeah, I wasn't getting it to work in either active or passive mode. Disabling egress filtering allows both to work fine. Unfortunately, I don't have a 2.1 install handy to try to replicate the issue there to see if it's just me or if it's 2.2. But my initial impressions is that the ftp proxy seems to not be working correctly in 2.2.