FTP Client Proxy Package


  • Rebel Alliance Developer Netgate

    I made a basic FTP client proxy package using ftp-proxy(8), it is available for users on pfSense 2.2-RELEASE and later.

    https://github.com/pfsense/pfsense-packages/commit/a868b2522ef865f117c892a07ae3507686783ff3

    Feedback welcome. I don't expect every feature to work 100% yet, but it's worth knowing what does and does not work.

    N.B.: This is for clients and not servers. So local clients, remote servers.

    It should also help those with a strict LAN ruleset and passive outbound clients.


    Note for future posters to this thread:
    This thread is for general feedback about the package (commentary, GUI notes, etc) – Problem reports should go into separate threads so they can receive proper/full attention without taking over this thread. Dropping a note here saying it didn't work for you is OK so long as it contains a link to a separate problem thread for further discussion.

    Thanks!



  • Hello,

    First, thanks for this, it will help in some corporate environments where things move slowly and outgoing internet connection is limited.

    I have tried with ftp.free.fr on a dual wan setup with load balancing and it seems there is an issue with the outgoing ip :

    lftp 212.27.60.27:~> ls
    ---- Connexion à 212.27.60.27 (212.27.60.27) port 21
    <--- 220 Welcome to ProXad FTP server
    ---> FEAT
    <--- 211-Features:
    <---  EPRT
    <---  EPSV
    <---  MDTM
    <---  PASV
    <---  REST STREAM
    <---  SIZE
    <---  TVFS
    <---  UTF8
    <--- 211 End
    ---> OPTS UTF8 ON
    <--- 200 Always in UTF8 mode.
    ---> USER anonymous
    <--- 331 Please specify the password.
    ---> PASS lftp@
    <--- 230 Login successful.
    ---> PWD
    <--- 257 "/"
    ---> PASV
    <--- 227 Entering Passive Mode (212,27,60,27,237,91)
    ---- Connecting data socket (212.27.60.27) port 60763
    ---- Data connection established
    ---> LIST
    <--- 425 Security: Bad IP connecting.
    ---- Closing data socket
    

  • Rebel Alliance Developer Netgate

    Are you load balancing? It probably won't work with load balancing if the data connection leaves a different WAN. Not sure if there is a way around that one using this proxy.

    It works for me to that site, but I'm doing failover not load balancing.



  • Yes, i'm load balancing,

    I could failover for the ftp connection if needed.


  • Rebel Alliance Developer Netgate

    Problem with that is the outbound connection from the client will be on a high, unpredictable port.

    That's one case where with a proxy, active mode would work better.



  • Yes I confirm that when using Active mode it works :

    stefb@host:~$ LANG=en_US.utf8 lftp 212.27.60.27
    lftp 212.27.60.27:~> set ftp:passive-mode no
    lftp 212.27.60.27:~> debug
    lftp 212.27.60.27:~> ls
    ---- Connecting to 212.27.60.27 (212.27.60.27) port 21
    <--- 220 Welcome to ProXad FTP server
    ---> FEAT
    <--- 211-Features:
    <---  EPRT
    <---  EPSV
    <---  MDTM
    <---  PASV
    <---  REST STREAM
    <---  SIZE
    <---  TVFS
    <---  UTF8
    <--- 211 End
    ---> OPTS UTF8 ON
    <--- 200 Always in UTF8 mode.
    ---> USER anonymous
    <--- 331 Please specify the password.
    ---> PASS lftp@
    <--- 230 Login successful.
    ---> PWD
    <--- 257 "/"
    ---> PORT 192,168,75,178,129,186
    <--- 200 PORT command successful. Consider using PASV.
    ---> LIST
    ---- Accepted data connection from (212.27.60.27) port 20
    <--- 150 Here comes the directory listing.
    ---- Got EOF on data connection
    ---- Closing data socket
    lrwxrwxrwx    1 ftp      ftp            28 Jun 14  2011 MPlayer -> mirrors/mplayerhq.hu/MPlayer
    drwxr-xr-x    2 ftp      ftp          4096 May 07  2008 awstats
    drwx------    2 ftp      ftp          4096 Mar 08  2006 lost+found
    drwxr-xr-x    3 ftp      ftp          4096 Aug 18  2014 mirrors
    drwxr-xr-x    2 ftp      ftp          4096 Dec 24  2008 nzb
    drwxr-xr-x    9 ftp      ftp          4096 Oct 23 13:41 pub
    drwxr-xr-x    2 ftp      ftp         69632 Mar 04 23:30 stats
    drwxr-xr-x    2 ftp      ftp          4096 Mar 05 11:40 tmp
    <--- 226 Directory send OK.
    lftp 212.27.60.27:/>
    
    

  • Banned

    Just tested quickly, personally have no need for this.

    • Totally broken when you tick the IPv6 checkbox, nothing works.
    • This breaks any encrypted FTP connections when the proxy is enabled (which sucks big time.)


  • Upgraded from 2.1.5 to 2.2 and found the that a application that user FTP on the LAN could no longer talk correctly to the remote FTP server.
    I have no control on the application or FTP server but the function it provides is critical to the business.
    This package saved me last night and while I have not fully tested all options in the package, it did immediately solve my issue.

    Proxy Enable - Tick
    Local Interface - LAN and OPT1(Wifi)
    IPv6 - no tick
    Anonymous - no tick
    Source - My WAN IP
    Bind Port - 21
    Max Sessions - Blank
    Traffic Shaping - Blank
    Rewrite Port 20 - no tick
    Ide Timeout - Blank
    Log Connection - ticked

    JIMP - Huge thanks for the quick turn around on this package, I think you just convinced me to say thankyou with a gold subscription :-)


  • Rebel Alliance Developer Netgate

    @doktornotor:

    Just tested quickly, personally have no need for this.

    Me either, but sadly it's so ingrained that it's hard to rip out.

    @doktornotor:

    • Totally broken when you tick the IPv6 checkbox, nothing works.

    I suspected that might be the case. Proxying IPv6 seems like a bad idea anyow. I may rip that option out next rev.

    @doktornotor:

    • This breaks any encrypted FTP connections when the proxy is enabled (which sucks big time.)

    Not sure anything can be done for that, and it does suck.


  • Rebel Alliance Developer Netgate

    @brainloss:

    Source - My WAN IP

    If that's your only WAN IP, it can be left blank. That box is primarily for people who need it to exit a VIP or some other different IP, perhaps if your WAN is behind NAT.

    @brainloss:

    Bind Port - 21

    Don't do that. Leave it blank.

    @brainloss:

    JIMP - Huge thanks for the quick turn around on this package, I think you just convinced me to say thankyou with a gold subscription :-)

    You're welcome, glad it helped!



  • I suspect lots of people will use soon as they see it.



  • Thanks a lot!!

    I only need ftp once every few years like when some provider has support files only available via anonymous ftp. So as bad as ftp may be not being able to use it is a real pain.

    -flo-


  • Rebel Alliance Developer Netgate

    I removed the broken IPv6 setting and I added fields for source bypass and destination bypass.

    At least that way, if you have a secure FTP server you could add it to the bypass list so that the proxy won't break it.



  • Thanks a lot for your package !!!

    It save me many days of troubleshouting…

    I also think that I am not the only one in this case.

    Hope that pfSense team will quickly correct this bug.

    Thanks again.

    Yan



  • Just want to chime in here - upgraded hardware and installed 2.2 and immediately got bitten by the lack of ftp-proxy.
    This package saved tons of time during the hectic upgrade.


  • Rebel Alliance Moderator

    I suspected that might be the case. Proxying IPv6 seems like a bad idea anyow. I may rip that option out next rev.

    In environments, where users are trying to build a new IPv6 only network, that option may be very well received (for proxying IPv6 clients to IPv4 only servers). If that is possible, it would be nice to be included. Of course not needing FTP at all would be quite better… ;)

    Greets


  • Rebel Alliance Developer Netgate

    It wasn't a 6-to-4 style proxy or anything that interesting, it was for v6 to v6 only, which is pretty useless except maybe in the presence of strict outbound firewall rules that the proxy could help with.



  • How can I install this package?
    Was going back to 2.1.5 and want now try to update to 2.2.1 with working FTP outgoing from LAN.

    best regards
    Frank


  • Banned

    @digidax:

    Was going back to 2.1.5 and want now try to update to 2.2.1 with working FTP outgoing from LAN.

    Like any other package. System - Packages.



  • There is no package "ftpproxy".
    "freeradius2" is the last, then "gwled" is the next one.
    Will it be visible after I have done the update?


  • Banned

    The package is for 2.2.x only


  • Rebel Alliance Developer Netgate

    Note for future posters to this thread:
    This thread is for general feedback about the package (commentary, GUI notes, etc) – Problem reports should go into separate threads so they can receive proper/full attention without taking over this thread. Dropping a note here saying it didn't work for you is OK so long as it contains a link to a separate problem thread for further discussion.

    Thanks!



  • Hi! Sorry for my bad English.
    I use FTP server on port 1221. In PFsense 2.1 I configure ftphelper with option debug.pfftpports. But in PFsense 2.2 I can't confirure packet "FTP client proxy" for work with port differing from 21. Help, please!


  • Rebel Alliance Developer Netgate

    The ftp-proxy(8) daemon seems to only work properly with a server on port 21, so there does not appear be a way to accommodate that scenario at this time.



  • Whatever you do, don't use a vpn.  That would be too easy…



  • Thank you very much for this package !!  ;D

    that should do the trick for some of my customers who are stuck with application that use "archaic" FTP Active client to update :)

    Will try it in next maintenance  8)



  • Thank you very much for this package!

    I have a little problem with one WAN and multiple LAN, with different VIPs used for outgoing traffic (one per LAN), the post is this:
    https://forum.pfsense.org/index.php?topic=91638.0

    Thanks.
    Luca



  • Hi,
    is it possible to add more than one ip on bypass list?


  • Rebel Alliance Developer Netgate

    @Marlenio:

    is it possible to add more than one ip on bypass list?

    Make an alias and put the alias name there.



  • @jimp:

    Make an alias and put the alias name there.

    Thanks in advance. :) :)



  • @Marlenio:

    @jimp:

    Make an alias and put the alias name there.

    Thanks in advance. :) :)

    I try. I made an alias with two Ip and put the name in "Proxy Bypass: Destination", restart service, but it doesn't works.

    EDIT: alias works if declare IPs like a "/32" network, but not like single host. :)



  • jimp-

    Just wanted to thank you wholeheartedly for this package. I know FTP is 'discouraged' but sadly we can't always force these decisions on users when legacy systems are in place and working. This package has saved us a lot of headache.

    bravo sir



  • Dear Jimp,

    thank you VERY MUCH for this great package!

    Is it possible to modify package and GUI to realize an explicit proxy environment?

    Best wishes



  • Have an issue with 2 in-series PFSense boxes… the 2nd one is on a LAN (Opt1 on PFSense #1 / all traffic in-and-out for that LAN on WAN Virtual IP and NAT'd through to 2nd pfSense) and needs to get out to WAN for Active FTP Session.  If I set the 2nd pfSense FTP Client Proxy to WAN external address it won't connect at all, but if I set it to default (WAN - which is actually LAN going to Opt1 in first pfSense), it connects but will not open data port.

    Hope this make sense - any ideas?


  • Rebel Alliance Developer Netgate

    @klingone:

    Is it possible to modify package and GUI to realize an explicit proxy environment?

    Not that I'm aware of. If you need an explicit proxy, I believe that squid can handle that.


  • Rebel Alliance Developer Netgate

    @tmc:

    Have an issue with 2 in-series PFSense boxes… the 2nd one is on a LAN (Opt1 on PFSense #1 / all traffic in-and-out for that LAN on WAN Virtual IP and NAT'd through to 2nd pfSense) and needs to get out to WAN for Active FTP Session.  If I set the 2nd pfSense FTP Client Proxy to WAN external address it won't connect at all, but if I set it to default (WAN - which is actually LAN going to Opt1 in first pfSense), it connects but will not open data port.

    I use it here with multiple boxes in series and it's OK but I don't use VIPs or send it out an alternate WAN (just the default WAN at my edge, not my second WAN).

    When using load balancing or multi-wan, the FTP traffic (including high data ports) would have to exit the default WAN or the proxy won't work correctly.



  • I've been banging my head against a brick wall trying to get an old FTP client to work properly. Thank you so much for your work, I appreciate it.



  • Hi, i need some help on configuring FTP Client Proxy Package in order to give ftp access on my network. I have 2 wan (WAN1 & WAN2) and one LAN interface.

    Local Interface: I select only LAN ?
    Anonymous Only: Not checked
    Source Address: I put one of the two public WAN ip address?
    Proxy Bypass Source: None
    Proxy Bypass Dest: None
    Bind Port: None
    Maximum Sessions (Default: 100): None
    Traffic Shaping Queue: None
    Rewrite Source to Port 20 : Not checked
    Idle Timeout (Default: 86400) : None
    Log Connections : Not Checked

    Do i need any other configuration? I use filezilla ftp server.

    sorry but my knowledge is very basic on this staff.


  • Banned

    @stavros:

    Do i need any other configuration? I use filezilla ftp server.

    This package is for FTP clients using active mode behind pfSense.

    https://doc.pfsense.org/index.php/FTP_without_a_Proxy



  • Many thanks for building this package, install, enable, assign client interfaces ALL DONE. You safed my day! thanks a lot. sven


Log in to reply