FTP Client Proxy Package
-
Why oh why doesn't pfSense bundle with this plug-in, I have been trouble shooting in the other end and then it was pfSense the entire time.
Thanks a bunch for this jimp - it working absolutly perfect and finally my Check Point has stopped yelling "Unable to Parse FTP PORT/227 command - header IP different from command IP".
-
I have installed FTP Client Proxy Package 0.3 Beta and setup on LAN.But filezilla can't connect it.The filezilla message is follow:
Status: Resolving address of ftp.aspa.idv.tw
Status: Connecting to 219.85.218.78:21…
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Connected
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.In older version can use it.How to fix it?My ftp server is used passive mode.
-
Please start a new separate thread for problems/troubleshooting.
-
Thanks much for this package! Just moved to pfSense w/ company in the trucking industry. Of course, daily fuel pricing is FTP as well as daily fuel transactions. Made my life easy. Gold bought!
-
Thanks for this package.
We've dealing with a very old application on a customer that get data updates vía FTP (active).
Our new pFSense blocked this app so gave this package a try. That was a problem as our customer didn't have any problem with the old router. We could not change anything on that application an d the mantainer refused to change FTP client config telling it was working properly. We insisted on several more secure solutions sFTP, SCP and so, but nothing.
Installed the package, solved the problem.
So we just want to say thanks.
You saved our day yesterday. -
Firstly, thanks for the package and great work.
Second, I've noticed some strange behaviour.
I have firewall rules defined for Server X, e.g.: incoming to ports 80/443/etc and there's no firewall rule for port 21 -> it's blocked. On Server X ftp client exists and with ftp client proxy package enabled I can connect to the same even though there is no such thing defined in firewall itself (GUI).
I've tried disabling option "Check this box to move the automatically added FTP rules higher in the ruleset to bypass explicit blocks. Helps allow passive FTP to arbitrary destinations, but FTP will always be allowed outbound when checked." and putting block rule on top of all rules for connections to Server on port 21 -> this traffic passes by. When I disable FTP proxy client traffic is blocked and everything is working as expected.
Thoughts?
-
Hello,
I installed FTP Proxy PFsense Packages, but I didn't find a manual that explains the various settings.
I need the FTP Proxy because I have an infrastructure with pfsense 2.1.5, and I have many FTP Server with NAT 1:1 behind it.
I would like to upgrade pfsense version to the last one 2.2.6, but I saw that without FTP proxy, I'm not able to reach FTP servers.
In this moment I'm using a virtual environment to test the FTP proxy package, but I'm not still able to made an FTP connection to my FTP Test Server.
Do someone knows ho to set the FTP Proxy package when you have a FTS server behind an 1:1 NAT.
Thanks.
-
Just to add some information.
If I try to use ftp via Command Prompt, the ftp seem to work.
I'm able to open the connetion with username and password.
ftp <ip-address>and get and put files.
Here the logs of FTP FileZilla Server
<<
000005)18/01/2016 11.52.30 - (not logged in) (192.168.1.36)> Connected, sending welcome message…
(000005)18/01/2016 11.52.30 - (not logged in) (192.168.1.36)> 220 FileZilla Server version 0.9.42 beta written by Tim Kosse (Tim.Kosse@gmx.de) Please visit http://sourceforge.
(000005)18/01/2016 11.52.36 - (not logged in) (192.168.1.36)> USER ftptest
(000005)18/01/2016 11.52.36 - (not logged in) (192.168.1.36)> 331 Password required for ftptest
(000005)18/01/2016 11.52.39 - (not logged in) (192.168.1.36)> PASS *********
(000005)18/01/2016 11.52.39 - ftptest (192.168.1.36)> 230 Logged on
(000005)18/01/2016 11.52.47 - ftptest (192.168.1.36)> PORT 192,168,1,36,207,4
(000005)18/01/2016 11.52.47 - ftptest (192.168.1.36)> 200 Port command successful
(000005)18/01/2016 11.52.47 - ftptest (192.168.1.36)> RETR 20160118.txt
(000005)18/01/2016 11.52.47 - ftptest (192.168.1.36)> 550 File not found
(000005)18/01/2016 11.52.52 - ftptest (192.168.1.36)> PORT 192,168,1,36,207,5
(000005)18/01/2016 11.52.52 - ftptest (192.168.1.36)> 200 Port command successful
(000005)18/01/2016 11.52.52 - ftptest (192.168.1.36)> NLST
(000005)18/01/2016 11.52.52 - ftptest (192.168.1.36)> 150 Opening data channel for directory list.
(000005)18/01/2016 11.52.52 - ftptest (192.168.1.36)> 226 Sucessfully transferred ""
(000005)18/01/2016 11.53.59 - ftptest (192.168.1.36)> CWD 20160107
(000005)18/01/2016 11.53.59 - ftptest (192.168.1.36)> 250 CWD successful. "/20160107" is current directory.
(000005)18/01/2016 11.54.01 - ftptest (192.168.1.36)> PORT 192,168,1,36,207,18
(000005)18/01/2016 11.54.01 - ftptest (192.168.1.36)> 200 Port command successful
(000005)18/01/2016 11.54.01 - ftptest (192.168.1.36)> NLST
(000005)18/01/2016 11.54.01 - ftptest (192.168.1.36)> 150 Opening data channel for directory list.
(000005)18/01/2016 11.54.01 - ftptest (192.168.1.36)> 226 Sucessfully transferred ""
(000005)18/01/2016 11.55.30 - ftptest (192.168.1.36)> PORT 192,168,1,36,207,35
(000005)18/01/2016 11.55.30 - ftptest (192.168.1.36)> 200 Port command successful
(000005)18/01/2016 11.55.30 - ftptest (192.168.1.36)> STOR 20160118.txt
(000005)18/01/2016 11.55.30 - ftptest (192.168.1.36)> 150 Opening data channel for file upload to server of "/20160107/20160118.txt"
(000005)18/01/2016 11.55.31 - ftptest (192.168.1.36)> 226 Sucessfully transferred ""Why with FileZilla Client I'm not able to complete those operation?
The server log says
<<
(000007)18/01/2016 12.00.40 - (not logged in) (192.168.1.36)> Connected, sending welcome message...
(000007)18/01/2016 12.00.40 - (not logged in) (192.168.1.36)> 220 FileZilla Server version 0.9.42 beta written by Tim Kosse (Tim.Kosse@gmx.de) Please visit http://sourceforge.
(000007)18/01/2016 12.00.40 - (not logged in) (192.168.1.36)> USER ftptest
(000007)18/01/2016 12.00.40 - (not logged in) (192.168.1.36)> 331 Password required for ftptest
(000007)18/01/2016 12.00.40 - (not logged in) (192.168.1.36)> PASS *********
(000007)18/01/2016 12.00.40 - ftptest (192.168.1.36)> 230 Logged on
(000007)18/01/2016 12.00.40 - ftptest (192.168.1.36)> PWD
(000007)18/01/2016 12.00.40 - ftptest (192.168.1.36)> 257 "/" is current directory.
(000007)18/01/2016 12.00.40 - ftptest (192.168.1.36)> TYPE I
(000007)18/01/2016 12.00.40 - ftptest (192.168.1.36)> 200 Type set to I
(000007)18/01/2016 12.00.40 - ftptest (192.168.1.36)> PASV
(000007)18/01/2016 12.00.40 - ftptest (192.168.1.36)> 227 Entering Passive Mode (192,168,226,28,4,119)
(000007)18/01/2016 12.00.40 - ftptest (192.168.1.36)> MLSD
(000007)18/01/2016 12.00.50 - ftptest (192.168.1.36)> 425 Can't open data connection for transfer of ""</ip-address>
-
The FTP Client Proxy Package does nothing for local servers.
Active mode FTP (which is the method the windows command prompt FTP uses) needs no proxy.
Passive mode FTP (which Filezilla defaults to) also doesn't need a proxy, provided the server is properly configured. Start a new thread and ask for help configuring a local FTP server for passive FTP and someone can assist you in crafting the rules and using the proper configuration for your FTP server to support it.
-
Jimp,
PLease could you tell me how to add the ftp-proxy package to pfsense.Thank you so much
-
It's a package, so it installs like any other package from System > Packages.
-
Hello,
in the field "Proxy Bypass: Source "I can "Enter an IP address or alias for source client host(s) which should bypass the proxy.", to exclude Clients from the proxy, right?
I have to use a vice versa scenario. That means, only certain computers or users are allowed, to use ftp, all others (more than 600) are not allowed. Since the user defined rules seem to be behind the ftp-proxy rules (which are dynamic?), it's not possible to set the needed ftp-restrictions in the user defined rules.
How can I solve this problem?
Best regards Werner
-
If the other users should not be able to reach FTP servers, make sure "Early firewall rule" is unchecked in the FTP Proxy options and then put in a block rule to prevent them from reaching FTP at all.
pass tcp from <people allowed="" to="" reach="" ftp="">to any port 21
block tcp from any to any port 21If they should be allowed to reach other FTP servers just not using the proxy, there is not currently a way to accommodate that in the package at this time.</people>
-
I installed this into PFSense because we just made the switch over from an Apple router to a Soekris box with PFSense installed. FTP wasn't not working at all, I tried making multiple firewall rules and installing this package has completely fixed any issue we had with FTP. Thanks for the product!
-
I'm probably making some simple mistake, but ftp client proxy package isn't working for me. My pfsense firewall has a static IPv4 WAN address. The LAN address is a typical RFC1918 address. The squid package is working fine with the clients explicitly specifying the proxy in their browser configuration. I'm not using transparent proxy because this pfsense firewall isn't my default route. pfSense version 2.3.1-RELEASE-p1. I've tried with filezilla and a couple other ftp clients, but haven't found a working combination of settings yet. I'm configuring the ftp client to connect to the LAN address of pfsense on port 21, with Passive mode, using the USER@HOST type of proxy. I've also tried Active mode, and port 8021 and many other variations. Usually my ftp client software shows that it's connected to the LAN address of pfSense, and then just times out waiting for the Welcome message.
What mistake am I making?
-
The FTP client does not connect to pfSense on port 21. It connects to the actual FTP server directly and the proxy intercepts.
Though if you have a proxy like squid explicitly configured in the client, it may be using that for FTP, depending on your proxy settings.
-
Thanks for the quick reply. Our previous ftp proxy required us to configure the ftp client software to talk to the proxy, which would then pass the communications out to the ftp server and return the responses to the ftp client.
If I'm understanding your answer, the FTP Client Proxy Package for pfSense only works in transparent mode, intercepting ftp communications and facilitating them in some way. I'm afraid that we can't restructure our entire network to make all traffic flow through this single firewall, so this isn't a solution for me.
Thanks anyway.
-
Thanks for this package.
We are in a multi-wan configuration, with a special failover configuration. Some specific outbound connections use WAN1 as gateway and the rest use WAN2.
In our case, instead of 'Proxy Bypass' addresses, we would need it the other way round: use it for specific outbound connections (all using WAN1), and bypass the rest.
As it is now, when we activate this package, all problematic connections going through WAN1 work (great!), but then all FTP connections using WAN2 stop working… we cannot set all FTP through WAN1.Is there any way to get this?
Thanks a lot for your help.
Regards from Barcelona,
Jordi. -
No, there is no way to accommodate policy routing or use any WAN but the default gateway, the ftp-proxy daemon is not capable of it.
-
No, there is no way to accommodate policy routing or use any WAN but the default gateway, the ftp-proxy daemon is not capable of it.
Thanks for your fast response. I get it.
Anyway, In our case an option just the opposite to 'Proxy Bypass: Destination' (something like 'Proxy Use: Destination' - and bypass every other IPs) would do it. I drop it just in case you are looking for new features to add in the next release ;)
Thanks again.
Regards from Barcelona,
Jordi.
