Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTP_without_a_Proxy

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    12 Posts 6 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GPh
      last edited by

      Hi,

      I understand the FAQ https://doc.pfsense.org/index.php/FTP_without_a_Proxy.

      But i am disappointed !
      pfSense make choice for me and kill FTP.

      I have many embedded devices who must use FTP.
      The solution given in FAQ doesn't work with all clients. Because of different uses of PORT and PASV command.
      I can't modify embedded devices (too old).

      Do you have plan to change this point or not ?

      Is somebody have same request than me ?

      At last solution, i need to put an external server only for FTP … bad  ???

      Regards, Philippe.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi.

        Please read what Jimp said about "FTP proxy" here https://blog.pfsense.org/

        Have a look at the available package lists : you will find a "FTP Client Proxy".

        [ I guess you should have 2.2.1 ]

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • K
          kejianshi
          last edited by

          I solved my FTP issues with VPN.  Assuming you can use a vpn that works well.

          1 Reply Last reply Reply Quote 0
          • G
            GPh
            last edited by

            @Gertjan:

            Please read what Jimp said about "FTP proxy" here https://blog.pfsense.org/
            Have a look at the available package lists : you will find a "FTP Client Proxy".

            Many thanks !
            Good news.

            I search package many time but not found … my head probably not awake  ???

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Yeah its real hard to find.. In the alphabetical list of packages..

              So your saying you have devices that do ftp as a client and only active mode?  Those are pretty shitty clients - why don't you complain to the maker of such a device about using such an antiquated file transfer method.  Why is ssh not an option on these devices?

              ftpclientproxy.png
              ftpclientproxy.png_thumb

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • R
                robi
                last edited by

                @johnpoz:

                So your saying you have devices that do ftp as a client and only active mode?  Those are pretty shitty clients - why don't you complain to the maker of such a device about using such an antiquated file transfer method.  Why is ssh not an option on these devices?

                Nice input, friend.

                Many of us have to still operate devices 10+ years old, and replacing them is often not possible because they are part of the workflow. Replacing them would require replacement of the entire workflow, and all technology behind it. You wouldn't do that do you, just because a firewall decided not to support FTP anymore.

                1 Reply Last reply Reply Quote 0
                • K
                  kejianshi
                  last edited by

                  Would it be possible for you to install a vpn on pfsense (assuming you are using pfsense as your firewall) that ONLY tunnels FTP traffic to ONLY the one pfsense IP you are having trouble with?

                  I'm trying to be nice and patient but to be honest if you can't tunnel that traffic, the problem is the admin, not the hardware.

                  I'm not a pfsense super guru and this is easy for me.  If the info going across that FTP is important at all, I'd vpn it anyway - just because its more secure.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    I would of replace the work flow YEARS ago if was up to me.. FTP has been deprecated and DEAD for YEARS! and YEARS.. It is NOT secure and PITA to work behind NAT..  It was fine 20 years ago when everyone was public IP, etc.. Ftps or ftp-es or ftp-ssl whatever you want to call it has been around for 20 years (1996) was when the first rfc was publish.. Been 10 years since that was final rfc..  That breaks use of proxy or helper since the control channel is encrypted and helper/proxy can not see what ports to open or what IPs to change to the public ones, etc..

                    FTP should of been gone 10+ years ago atleast..  If you are still using it that is on YOU and nobody but YOU!  Sorry but that is my opinion on the subject..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by

                      +1. The equipment was exact same broken regarding firewalls those 10+ years ago. Active FTP not working across NATs is really nothing new. Plus sending credentials in plaintext also absolutely "rocks".

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi
                        last edited by

                        johnpoz - I can understand if he is just the IT guy and maybe the boss is a network dummy who won't let him unilaterally restructure everything.  I agree that FTP is pretty much my last choice of how to push files around.  I tend to us SFTP myself.  I like that I can do massive parallel transfers and max out available network resources.  Makes quick work of things.

                        But I also have people on my side that just are either unwilling or unable to depart with FTP - So, I put them all on VPN to solve the issue and haven't heard a complaint since.

                        (yeah - sending credentials in plain text is the bomb - wonder how many of those usernames/passwords unlock other more important doors also?)

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          I agree that might only be the IT guy without management control, etc. etc.  But this should of been on his lists of things to change 10 years ago.  And every time there is a meeting with management.  Hey we need to change this its not secure and antiquated and deprecated, etc.

                          Anyone in IT has to deal with non technical people at upper levels..  But you need to make them aware of the security concerns, etc.  How its a PITA to make work, etc.

                          While I can feel their pain having to deal with such stuff, its not like that hasn't been time to get away from it.  I say good riddance to it..  User normally never understand it anyway and if they can't just click a link in their browser its beyond their comprehension for the most part ;)

                          Vs looking for another way to keep it alive he should take the opportunity to tell the guys that manage the money - see I've been telling you for years this ftp thing was broken.  Now it is!!  Lets do something more secure!

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • K
                            kejianshi
                            last edited by

                            I can agree with killing off insecure crap.  If it weren't for stuff like this hacking would be alot less profitable.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.