FTP Client Proxy Package

jimp

I made a basic FTP client proxy package using ftp-proxy(8), it is available for users on pfSense 2.2-RELEASE and later.

https://github.com/pfsense/pfsense-packages/commit/a868b2522ef865f117c892a07ae3507686783ff3

Feedback welcome. I don't expect every feature to work 100% yet, but it's worth knowing what does and does not work.

N.B.: This is for clients and not servers. So local clients, remote servers.

It should also help those with a strict LAN ruleset and passive outbound clients.

---

Note for future posters to this thread:
This thread is for general feedback about the package (commentary, GUI notes, etc) – Problem reports should go into separate threads so they can receive proper/full attention without taking over this thread. Dropping a note here saying it didn't work for you is OK so long as it contains a link to a separate problem thread for further discussion.

Thanks!

stefb

Hello,

First, thanks for this, it will help in some corporate environments where things move slowly and outgoing internet connection is limited.

I have tried with ftp.free.fr on a dual wan setup with load balancing and it seems there is an issue with the outgoing ip :

lftp 212.27.60.27:~> ls
---- Connexion à 212.27.60.27 (212.27.60.27) port 21
<--- 220 Welcome to ProXad FTP server
---> FEAT
<--- 211-Features:
<---  EPRT
<---  EPSV
<---  MDTM
<---  PASV
<---  REST STREAM
<---  SIZE
<---  TVFS
<---  UTF8
<--- 211 End
---> OPTS UTF8 ON
<--- 200 Always in UTF8 mode.
---> USER anonymous
<--- 331 Please specify the password.
---> PASS lftp@
<--- 230 Login successful.
---> PWD
<--- 257 "/"
---> PASV
<--- 227 Entering Passive Mode (212,27,60,27,237,91)
---- Connecting data socket (212.27.60.27) port 60763
---- Data connection established
---> LIST
<--- 425 Security: Bad IP connecting.
---- Closing data socket

jimp

Are you load balancing? It probably won't work with load balancing if the data connection leaves a different WAN. Not sure if there is a way around that one using this proxy.

It works for me to that site, but I'm doing failover not load balancing.

stefb

Yes, i'm load balancing,

I could failover for the ftp connection if needed.

jimp

Problem with that is the outbound connection from the client will be on a high, unpredictable port.

That's one case where with a proxy, active mode would work better.

stefb

Yes I confirm that when using Active mode it works :

stefb@host:~$ LANG=en_US.utf8 lftp 212.27.60.27
lftp 212.27.60.27:~> set ftp:passive-mode no
lftp 212.27.60.27:~> debug
lftp 212.27.60.27:~> ls
---- Connecting to 212.27.60.27 (212.27.60.27) port 21
<--- 220 Welcome to ProXad FTP server
---> FEAT
<--- 211-Features:
<---  EPRT
<---  EPSV
<---  MDTM
<---  PASV
<---  REST STREAM
<---  SIZE
<---  TVFS
<---  UTF8
<--- 211 End
---> OPTS UTF8 ON
<--- 200 Always in UTF8 mode.
---> USER anonymous
<--- 331 Please specify the password.
---> PASS lftp@
<--- 230 Login successful.
---> PWD
<--- 257 "/"
---> PORT 192,168,75,178,129,186
<--- 200 PORT command successful. Consider using PASV.
---> LIST
---- Accepted data connection from (212.27.60.27) port 20
<--- 150 Here comes the directory listing.
---- Got EOF on data connection
---- Closing data socket
lrwxrwxrwx    1 ftp      ftp            28 Jun 14  2011 MPlayer -> mirrors/mplayerhq.hu/MPlayer
drwxr-xr-x    2 ftp      ftp          4096 May 07  2008 awstats
drwx------    2 ftp      ftp          4096 Mar 08  2006 lost+found
drwxr-xr-x    3 ftp      ftp          4096 Aug 18  2014 mirrors
drwxr-xr-x    2 ftp      ftp          4096 Dec 24  2008 nzb
drwxr-xr-x    9 ftp      ftp          4096 Oct 23 13:41 pub
drwxr-xr-x    2 ftp      ftp         69632 Mar 04 23:30 stats
drwxr-xr-x    2 ftp      ftp          4096 Mar 05 11:40 tmp
<--- 226 Directory send OK.
lftp 212.27.60.27:/>

doktornotor

Just tested quickly, personally have no need for this.

• Totally broken when you tick the IPv6 checkbox, nothing works.
• This breaks any encrypted FTP connections when the proxy is enabled (which sucks big time.)

brainloss

Upgraded from 2.1.5 to 2.2 and found the that a application that user FTP on the LAN could no longer talk correctly to the remote FTP server.
I have no control on the application or FTP server but the function it provides is critical to the business.
This package saved me last night and while I have not fully tested all options in the package, it did immediately solve my issue.

Proxy Enable - Tick
Local Interface - LAN and OPT1(Wifi)
IPv6 - no tick
Anonymous - no tick
Source - My WAN IP
Bind Port - 21
Max Sessions - Blank
Traffic Shaping - Blank
Rewrite Port 20 - no tick
Ide Timeout - Blank
Log Connection - ticked

JIMP - Huge thanks for the quick turn around on this package, I think you just convinced me to say thankyou with a gold subscription :-)

jimp

@doktornotor:

Just tested quickly, personally have no need for this.

Me either, but sadly it's so ingrained that it's hard to rip out.

@doktornotor:

• Totally broken when you tick the IPv6 checkbox, nothing works.

I suspected that might be the case. Proxying IPv6 seems like a bad idea anyow. I may rip that option out next rev.

@doktornotor:

• This breaks any encrypted FTP connections when the proxy is enabled (which sucks big time.)

Not sure anything can be done for that, and it does suck.

jimp

@brainloss:

Source - My WAN IP

If that's your only WAN IP, it can be left blank. That box is primarily for people who need it to exit a VIP or some other different IP, perhaps if your WAN is behind NAT.

@brainloss:

Bind Port - 21

Don't do that. Leave it blank.

@brainloss:

JIMP - Huge thanks for the quick turn around on this package, I think you just convinced me to say thankyou with a gold subscription :-)

You're welcome, glad it helped!

kejianshi

I suspect lots of people will use soon as they see it.

-flo- 0

Thanks a lot!!

I only need ftp once every few years like when some provider has support files only available via anonymous ftp. So as bad as ftp may be not being able to use it is a real pain.

-flo-

jimp

I removed the broken IPv6 setting and I added fields for source bypass and destination bypass.

At least that way, if you have a secure FTP server you could add it to the bypass list so that the proxy won't break it.

pfsenseo

Thanks a lot for your package !!!

It save me many days of troubleshouting…

I also think that I am not the only one in this case.

Hope that pfSense team will quickly correct this bug.

Thanks again.

Yan

matsan

Just want to chime in here - upgraded hardware and installed 2.2 and immediately got bitten by the lack of ftp-proxy.
This package saved tons of time during the hectic upgrade.

JeGr

I suspected that might be the case. Proxying IPv6 seems like a bad idea anyow. I may rip that option out next rev.

In environments, where users are trying to build a new IPv6 only network, that option may be very well received (for proxying IPv6 clients to IPv4 only servers). If that is possible, it would be nice to be included. Of course not needing FTP at all would be quite better… ;)

Greets

jimp

It wasn't a 6-to-4 style proxy or anything that interesting, it was for v6 to v6 only, which is pretty useless except maybe in the presence of strict outbound firewall rules that the proxy could help with.

digidax

How can I install this package?
Was going back to 2.1.5 and want now try to update to 2.2.1 with working FTP outgoing from LAN.

best regards
Frank

doktornotor

@digidax:

Was going back to 2.1.5 and want now try to update to 2.2.1 with working FTP outgoing from LAN.

Like any other package. System - Packages.

digidax

There is no package "ftpproxy".
"freeradius2" is the last, then "gwled" is the next one.
Will it be visible after I have done the update?