FTP_without_a_Proxy



  • Hi,

    I understand the FAQ https://doc.pfsense.org/index.php/FTP_without_a_Proxy.

    But i am disappointed !
    pfSense make choice for me and kill FTP.

    I have many embedded devices who must use FTP.
    The solution given in FAQ doesn't work with all clients. Because of different uses of PORT and PASV command.
    I can't modify embedded devices (too old).

    Do you have plan to change this point or not ?

    Is somebody have same request than me ?

    At last solution, i need to put an external server only for FTP … bad  ???

    Regards, Philippe.



  • Hi.

    Please read what Jimp said about "FTP proxy" here https://blog.pfsense.org/

    Have a look at the available package lists : you will find a "FTP Client Proxy".

    [ I guess you should have 2.2.1 ]



  • I solved my FTP issues with VPN.  Assuming you can use a vpn that works well.



  • @Gertjan:

    Please read what Jimp said about "FTP proxy" here https://blog.pfsense.org/
    Have a look at the available package lists : you will find a "FTP Client Proxy".

    Many thanks !
    Good news.

    I search package many time but not found … my head probably not awake  ???


  • LAYER 8 Global Moderator

    Yeah its real hard to find.. In the alphabetical list of packages..

    So your saying you have devices that do ftp as a client and only active mode?  Those are pretty shitty clients - why don't you complain to the maker of such a device about using such an antiquated file transfer method.  Why is ssh not an option on these devices?




  • @johnpoz:

    So your saying you have devices that do ftp as a client and only active mode?  Those are pretty shitty clients - why don't you complain to the maker of such a device about using such an antiquated file transfer method.  Why is ssh not an option on these devices?

    Nice input, friend.

    Many of us have to still operate devices 10+ years old, and replacing them is often not possible because they are part of the workflow. Replacing them would require replacement of the entire workflow, and all technology behind it. You wouldn't do that do you, just because a firewall decided not to support FTP anymore.



  • Would it be possible for you to install a vpn on pfsense (assuming you are using pfsense as your firewall) that ONLY tunnels FTP traffic to ONLY the one pfsense IP you are having trouble with?

    I'm trying to be nice and patient but to be honest if you can't tunnel that traffic, the problem is the admin, not the hardware.

    I'm not a pfsense super guru and this is easy for me.  If the info going across that FTP is important at all, I'd vpn it anyway - just because its more secure.


  • LAYER 8 Global Moderator

    I would of replace the work flow YEARS ago if was up to me.. FTP has been deprecated and DEAD for YEARS! and YEARS.. It is NOT secure and PITA to work behind NAT..  It was fine 20 years ago when everyone was public IP, etc.. Ftps or ftp-es or ftp-ssl whatever you want to call it has been around for 20 years (1996) was when the first rfc was publish.. Been 10 years since that was final rfc..  That breaks use of proxy or helper since the control channel is encrypted and helper/proxy can not see what ports to open or what IPs to change to the public ones, etc..

    FTP should of been gone 10+ years ago atleast..  If you are still using it that is on YOU and nobody but YOU!  Sorry but that is my opinion on the subject..


  • Banned

    +1. The equipment was exact same broken regarding firewalls those 10+ years ago. Active FTP not working across NATs is really nothing new. Plus sending credentials in plaintext also absolutely "rocks".



  • johnpoz - I can understand if he is just the IT guy and maybe the boss is a network dummy who won't let him unilaterally restructure everything.  I agree that FTP is pretty much my last choice of how to push files around.  I tend to us SFTP myself.  I like that I can do massive parallel transfers and max out available network resources.  Makes quick work of things.

    But I also have people on my side that just are either unwilling or unable to depart with FTP - So, I put them all on VPN to solve the issue and haven't heard a complaint since.

    (yeah - sending credentials in plain text is the bomb - wonder how many of those usernames/passwords unlock other more important doors also?)


  • LAYER 8 Global Moderator

    I agree that might only be the IT guy without management control, etc. etc.  But this should of been on his lists of things to change 10 years ago.  And every time there is a meeting with management.  Hey we need to change this its not secure and antiquated and deprecated, etc.

    Anyone in IT has to deal with non technical people at upper levels..  But you need to make them aware of the security concerns, etc.  How its a PITA to make work, etc.

    While I can feel their pain having to deal with such stuff, its not like that hasn't been time to get away from it.  I say good riddance to it..  User normally never understand it anyway and if they can't just click a link in their browser its beyond their comprehension for the most part ;)

    Vs looking for another way to keep it alive he should take the opportunity to tell the guys that manage the money - see I've been telling you for years this ftp thing was broken.  Now it is!!  Lets do something more secure!



  • I can agree with killing off insecure crap.  If it weren't for stuff like this hacking would be alot less profitable.


Log in to reply