Client side FTP Passive Mode after Upgrade to 2.2
-
In pfsense 2.2 there is no ftp proxy. That is tough. What is worse is because of my ruleset no passive mode ftp would work after upgrade. The proxy was enabling the handling of the data channel. When this works, it works.
When the proxy is gone and the ruleset does not allow addresses above 1024 to be used there are problems. Specifically in your ftp client you will connect, login, and then no directory listing will appear. Our systems most often use Filezilla which immediately generates a directory listing command. This will timeout if the ports are blocked.
So my fix was to go back to the LAN side rule that controls file transfers. I originally set it up with aliases. So I then went back to the alias assigned to the ports. I added a new line to that alias that in addition to ports 20, 21, and 22 also allows ports 1024:65535. That fixes the passive ftp data channel problem.
I don't like this fix, because it feels like a big outgoing hole for stuff to try and go out.
How can I tighten this back up without breaking passive ftp?
Thanks! ;D
-
Short answer: Don't use FTP.
Long answer: Check the port range used on the server and only open those. Though still, don't use FTP.
-
-
Short answer: Don't use FTP.
Long answer: Check the port range used on the server and only open those. Though still, don't use FTP.
Thanks!
Unfortunately, some customers and vendors require its use. I get the plain text password issues, and that is why we prefer to use other methods of file transfer. We will probably restrict this by department somehow.
Any other suggestions or ideas?
-
Yes! I read that before my upgrade, but didn't realize the specific implications until afterwards. That is why I posted my steps above. Sometimes I have to hit my head against the firewall a few times to make the information sink in. :-[
Fortunately, I had a roll back plan with a backup plan to that, but did not have to use either. The release notes covered this, but it is difficult to test with out a test connection, test firewall, test network, test pc implemented. So I did the upgrade an hour before most of the office shows up, and was able to test the system, and apply updated rules before any one was affected.
Thanks for the link!
-
if your clients are behind pfsense and ftp server is on the wan/public internet side of pfsense. If you have locked down outbound traffic to specific ports then yeah you have a problem since you never know what passive range a ftp server might use - unless its a specific server and you can ask them what range they use.. It rarely going to be that wide.
So your locked down outbound rule could be limited to the known ftp servers your clients talk to, and then if wanted even lock down the ports if you can get them. If its any ftp server anywhere than yeah the kind of restricts the use of locked down outbound rules with no helper to open up the ports for you.
As to 20 in your info – that would never be used unless you have servers inside pfsense and clients outside using active connections where ftp server would make the connection back to them from 20.
clients behind pfsense wouldn't make a connection to 20, the server would talk back to them from 20. But without a helper you would have to have the client make sure it gives public IP and uses specific port range from the server to connect to, and that would have to be forwarded. If you have multiple clients that would be a real pain.
-
Hi,
i have a problem since update to pfesense 2.2. We have a software to order stuff. That software use the windows ftp.exe tool in passive mode. I don't have a chance to switch to a other communication tool. If i connect to the ftp server on port 21 and enter a "dir" command, the ftp drops the connection. I don´t now how to resolve the problem. Anyone can help me out and tell me how to configure the pfsense to user the damn windows ftp.exe tool to connect to the server?
Regards Valle
-
"That software use the windows ftp.exe tool in passive mode"
No it doesn't since the windows ftp.exe does not support passive only active.
-
Thanks Johnpoz, sorry, yes you are right. Can you teach me how can i get it to work with pfsense 2.2? What must i configure in the firewall/nat to get the client to communicate to the server an didnt drop the connection?
-
https://doc.pfsense.org/index.php/FTP_without_a_Proxy
-
I have read it 5 times. Does it mean that i can't use it with the MS ftp.exe Client? I can't use a other because the software that we use need it.
-
If you can't edit the batch process, you might be able to find a replacement command-line ftp client that supports the correct options.
There are plenty of choices that support passive connections, you could rename the binary. You need to know what options it's passing though.edit: waffling on the link, not sure it's what you need, but it's free..
http://www.ipswitchft.com/moveit-managed-file-transfer/file-transfer/clients/moveit-freely -
Thanks for help out. Tomorrow i will try ncftp. Hope it will work.
-
you can use it as long as where your connecting allows active.. Problem is with that ftp.exe I don't think you can send public IP, if your client is on private
So in an active connection the ftp server makes the connection to the IP and port you give it with port command.. So say its ftp.pfsense.com and your on your box behind pfsense.
In an active connection you box is on 192.168.1.100 for example.. You would send hey connect to me on 192.168.1.100 port 5001 well clearly that would not work because 192.168.1.100 is private and ftp.pfsense sure not going to be able to talk to that IP. But with a helper pfsense wuould of change it to what pfsense wan public IP was and said oh need to forward port 5001 to 192.168.1.100
And that is how it worked.
In passive the server sends you the IP to connect too. So normally clients behind pfsense don't have any issues if outbound is not locked down. But if the passive server is behind pfsense you need to tell the server to use your public when sends the pasv command and manually forward the ports the server is going to use say 5000 to 6000.
Problem is the ftp.exe from windows only does ACTIVE connections..
Where is the ftp server and where is the client?? This is a great write up on how ftp works for active and passive. This should be basic understanding for anyone using ftp even as a user if you ask me. If you admin a firewall were firewall be used in or out of then, then yeah understanding this is mandatory.. http://slacksite.com/other/ftp.html
-
And now… https://forum.pfsense.org/index.php?topic=89841.0
-
I'm a little confused about the ftp proxy. Was this something that was on and working by default in 2.1.x? Because I never configured any such proxy on the pfsense router or any settings in the ftp clients on the lan.
But, now that I've upgraded to 2.2.2, outbound FTP file transfer is broken.
Since I have outbound ports locked down, I'm not sure how to handle this problem. If the ftp proxy was necessary to get ftp clients working, even if insecure, why would it be stripped out? Why not just make it an option? Worried about security, well now I may have to allow everything outbound just so FTP will work. So much for blocking torrents and stuff….
-
The proxy was built in in 2.1.x
It is now a package on 2.2.x If you need it, install the package.
Not sure what the drama is about. -
The proxy was built in in 2.1.x
It is now a package on 2.2.x If you need it, install the package.
Not sure what the drama is about.Thanks, didn't realize this. I just installed it. Does it require any configuration or is it seemless like before when it was built in? The service won't start for me…does this install require a reboot or is there something I can run cmd line to get the daemon to start?
-
How about you go to Services - FTP Client Proxy and configure the thing? Sigh…
-
I configured the proxy the other day. It works for some devices, but other devices have a problem with it and I have to set them statically and bypass the proxy. The built-in proxy in the previous version of pfsense worked seemlessly.
