FTP Client Proxy Package
-
I made a basic FTP client proxy package using ftp-proxy(8), it is available for users on pfSense 2.2-RELEASE and later.
https://github.com/pfsense/pfsense-packages/commit/a868b2522ef865f117c892a07ae3507686783ff3
Feedback welcome. I don't expect every feature to work 100% yet, but it's worth knowing what does and does not work.
N.B.: This is for clients and not servers. So local clients, remote servers.
It should also help those with a strict LAN ruleset and passive outbound clients.
Note for future posters to this thread:
This thread is for general feedback about the package (commentary, GUI notes, etc) – Problem reports should go into separate threads so they can receive proper/full attention without taking over this thread. Dropping a note here saying it didn't work for you is OK so long as it contains a link to a separate problem thread for further discussion.Thanks!
-
Hello,
First, thanks for this, it will help in some corporate environments where things move slowly and outgoing internet connection is limited.
I have tried with ftp.free.fr on a dual wan setup with load balancing and it seems there is an issue with the outgoing ip :
lftp 212.27.60.27:~> ls ---- Connexion à 212.27.60.27 (212.27.60.27) port 21 <--- 220 Welcome to ProXad FTP server ---> FEAT <--- 211-Features: <--- EPRT <--- EPSV <--- MDTM <--- PASV <--- REST STREAM <--- SIZE <--- TVFS <--- UTF8 <--- 211 End ---> OPTS UTF8 ON <--- 200 Always in UTF8 mode. ---> USER anonymous <--- 331 Please specify the password. ---> PASS lftp@ <--- 230 Login successful. ---> PWD <--- 257 "/" ---> PASV <--- 227 Entering Passive Mode (212,27,60,27,237,91) ---- Connecting data socket (212.27.60.27) port 60763 ---- Data connection established ---> LIST <--- 425 Security: Bad IP connecting. ---- Closing data socket -
Are you load balancing? It probably won't work with load balancing if the data connection leaves a different WAN. Not sure if there is a way around that one using this proxy.
It works for me to that site, but I'm doing failover not load balancing.
-
Yes, i'm load balancing,
I could failover for the ftp connection if needed.
-
Problem with that is the outbound connection from the client will be on a high, unpredictable port.
That's one case where with a proxy, active mode would work better.
-
Yes I confirm that when using Active mode it works :
stefb@host:~$ LANG=en_US.utf8 lftp 212.27.60.27 lftp 212.27.60.27:~> set ftp:passive-mode no lftp 212.27.60.27:~> debug lftp 212.27.60.27:~> ls ---- Connecting to 212.27.60.27 (212.27.60.27) port 21 <--- 220 Welcome to ProXad FTP server ---> FEAT <--- 211-Features: <--- EPRT <--- EPSV <--- MDTM <--- PASV <--- REST STREAM <--- SIZE <--- TVFS <--- UTF8 <--- 211 End ---> OPTS UTF8 ON <--- 200 Always in UTF8 mode. ---> USER anonymous <--- 331 Please specify the password. ---> PASS lftp@ <--- 230 Login successful. ---> PWD <--- 257 "/" ---> PORT 192,168,75,178,129,186 <--- 200 PORT command successful. Consider using PASV. ---> LIST ---- Accepted data connection from (212.27.60.27) port 20 <--- 150 Here comes the directory listing. ---- Got EOF on data connection ---- Closing data socket lrwxrwxrwx 1 ftp ftp 28 Jun 14 2011 MPlayer -> mirrors/mplayerhq.hu/MPlayer drwxr-xr-x 2 ftp ftp 4096 May 07 2008 awstats drwx------ 2 ftp ftp 4096 Mar 08 2006 lost+found drwxr-xr-x 3 ftp ftp 4096 Aug 18 2014 mirrors drwxr-xr-x 2 ftp ftp 4096 Dec 24 2008 nzb drwxr-xr-x 9 ftp ftp 4096 Oct 23 13:41 pub drwxr-xr-x 2 ftp ftp 69632 Mar 04 23:30 stats drwxr-xr-x 2 ftp ftp 4096 Mar 05 11:40 tmp <--- 226 Directory send OK. lftp 212.27.60.27:/> -
Just tested quickly, personally have no need for this.
- Totally broken when you tick the IPv6 checkbox, nothing works.
- This breaks any encrypted FTP connections when the proxy is enabled (which sucks big time.)
-
Upgraded from 2.1.5 to 2.2 and found the that a application that user FTP on the LAN could no longer talk correctly to the remote FTP server.
I have no control on the application or FTP server but the function it provides is critical to the business.
This package saved me last night and while I have not fully tested all options in the package, it did immediately solve my issue.Proxy Enable - Tick
Local Interface - LAN and OPT1(Wifi)
IPv6 - no tick
Anonymous - no tick
Source - My WAN IP
Bind Port - 21
Max Sessions - Blank
Traffic Shaping - Blank
Rewrite Port 20 - no tick
Ide Timeout - Blank
Log Connection - tickedJIMP - Huge thanks for the quick turn around on this package, I think you just convinced me to say thankyou with a gold subscription :-)
-
Just tested quickly, personally have no need for this.
Me either, but sadly it's so ingrained that it's hard to rip out.
- Totally broken when you tick the IPv6 checkbox, nothing works.
I suspected that might be the case. Proxying IPv6 seems like a bad idea anyow. I may rip that option out next rev.
- This breaks any encrypted FTP connections when the proxy is enabled (which sucks big time.)
Not sure anything can be done for that, and it does suck.
-
Source - My WAN IP
If that's your only WAN IP, it can be left blank. That box is primarily for people who need it to exit a VIP or some other different IP, perhaps if your WAN is behind NAT.
Bind Port - 21
Don't do that. Leave it blank.
JIMP - Huge thanks for the quick turn around on this package, I think you just convinced me to say thankyou with a gold subscription :-)
You're welcome, glad it helped!
-
I suspect lots of people will use soon as they see it.
-
Thanks a lot!!
I only need ftp once every few years like when some provider has support files only available via anonymous ftp. So as bad as ftp may be not being able to use it is a real pain.
-flo-
-
I removed the broken IPv6 setting and I added fields for source bypass and destination bypass.
At least that way, if you have a secure FTP server you could add it to the bypass list so that the proxy won't break it.
-
Thanks a lot for your package !!!
It save me many days of troubleshouting…
I also think that I am not the only one in this case.
Hope that pfSense team will quickly correct this bug.
Thanks again.
Yan
-
Just want to chime in here - upgraded hardware and installed 2.2 and immediately got bitten by the lack of ftp-proxy.
This package saved tons of time during the hectic upgrade. -
I suspected that might be the case. Proxying IPv6 seems like a bad idea anyow. I may rip that option out next rev.
In environments, where users are trying to build a new IPv6 only network, that option may be very well received (for proxying IPv6 clients to IPv4 only servers). If that is possible, it would be nice to be included. Of course not needing FTP at all would be quite better… ;)
Greets
-
It wasn't a 6-to-4 style proxy or anything that interesting, it was for v6 to v6 only, which is pretty useless except maybe in the presence of strict outbound firewall rules that the proxy could help with.
-
How can I install this package?
Was going back to 2.1.5 and want now try to update to 2.2.1 with working FTP outgoing from LAN.best regards
Frank -
Was going back to 2.1.5 and want now try to update to 2.2.1 with working FTP outgoing from LAN.
Like any other package. System - Packages.
-
There is no package "ftpproxy".
"freeradius2" is the last, then "gwled" is the next one.
Will it be visible after I have done the update? -
The package is for 2.2.x only…
-
Note for future posters to this thread:
This thread is for general feedback about the package (commentary, GUI notes, etc) – Problem reports should go into separate threads so they can receive proper/full attention without taking over this thread. Dropping a note here saying it didn't work for you is OK so long as it contains a link to a separate problem thread for further discussion.Thanks!
-
Hi! Sorry for my bad English.
I use FTP server on port 1221. In PFsense 2.1 I configure ftphelper with option debug.pfftpports. But in PFsense 2.2 I can't confirure packet "FTP client proxy" for work with port differing from 21. Help, please! -
The ftp-proxy(8) daemon seems to only work properly with a server on port 21, so there does not appear be a way to accommodate that scenario at this time.
-
Whatever you do, don't use a vpn. That would be too easy…
-
Thank you very much for this package !! ;D
that should do the trick for some of my customers who are stuck with application that use "archaic" FTP Active client to update :)
Will try it in next maintenance 8)
-
Thank you very much for this package!
I have a little problem with one WAN and multiple LAN, with different VIPs used for outgoing traffic (one per LAN), the post is this:
https://forum.pfsense.org/index.php?topic=91638.0Thanks.
Luca -
Hi,
is it possible to add more than one ip on bypass list? -
is it possible to add more than one ip on bypass list?
Make an alias and put the alias name there.
-
-
-
jimp-
Just wanted to thank you wholeheartedly for this package. I know FTP is 'discouraged' but sadly we can't always force these decisions on users when legacy systems are in place and working. This package has saved us a lot of headache.
bravo sir
-
Dear Jimp,
thank you VERY MUCH for this great package!
Is it possible to modify package and GUI to realize an explicit proxy environment?
Best wishes
-
Have an issue with 2 in-series PFSense boxes… the 2nd one is on a LAN (Opt1 on PFSense #1 / all traffic in-and-out for that LAN on WAN Virtual IP and NAT'd through to 2nd pfSense) and needs to get out to WAN for Active FTP Session. If I set the 2nd pfSense FTP Client Proxy to WAN external address it won't connect at all, but if I set it to default (WAN - which is actually LAN going to Opt1 in first pfSense), it connects but will not open data port.
Hope this make sense - any ideas?
-
@klingone:
Is it possible to modify package and GUI to realize an explicit proxy environment?
Not that I'm aware of. If you need an explicit proxy, I believe that squid can handle that.
-
@tmc:
Have an issue with 2 in-series PFSense boxes… the 2nd one is on a LAN (Opt1 on PFSense #1 / all traffic in-and-out for that LAN on WAN Virtual IP and NAT'd through to 2nd pfSense) and needs to get out to WAN for Active FTP Session. If I set the 2nd pfSense FTP Client Proxy to WAN external address it won't connect at all, but if I set it to default (WAN - which is actually LAN going to Opt1 in first pfSense), it connects but will not open data port.
I use it here with multiple boxes in series and it's OK but I don't use VIPs or send it out an alternate WAN (just the default WAN at my edge, not my second WAN).
When using load balancing or multi-wan, the FTP traffic (including high data ports) would have to exit the default WAN or the proxy won't work correctly.
-
I've been banging my head against a brick wall trying to get an old FTP client to work properly. Thank you so much for your work, I appreciate it.
-
Hi, i need some help on configuring FTP Client Proxy Package in order to give ftp access on my network. I have 2 wan (WAN1 & WAN2) and one LAN interface.
Local Interface: I select only LAN ?
Anonymous Only: Not checked
Source Address: I put one of the two public WAN ip address?
Proxy Bypass Source: None
Proxy Bypass Dest: None
Bind Port: None
Maximum Sessions (Default: 100): None
Traffic Shaping Queue: None
Rewrite Source to Port 20 : Not checked
Idle Timeout (Default: 86400) : None
Log Connections : Not CheckedDo i need any other configuration? I use filezilla ftp server.
sorry but my knowledge is very basic on this staff.
-
Do i need any other configuration? I use filezilla ftp server.
This package is for FTP clients using active mode behind pfSense.
https://doc.pfsense.org/index.php/FTP_without_a_Proxy
-
Many thanks for building this package, install, enable, assign client interfaces ALL DONE. You safed my day! thanks a lot. sven
