FTP: What's the difference between pftpx and ftpsesame and when are they used?



  • Hi all,

    Why is there two types of ftp helpers ? I have a cluster on wich I can see runing pftpx and ftpsesame. What is the thing making pfsense choose wich ftp helper has to be started ? (I do not have any bridged interface)
    Thx



  • Do you have a routed interface (without nat)? ftpsesame is used for bridged and routed interfaces iirc.



  • I have just spotted how it works by reading the code. If it doesn't find a nat rule for the subnet on the interface it runs ftpsesame instead of pftpx.
    I was wondering why my active ftp connexion wasn't working… it's because my LAN interface isn't in my LAN subnet but in a small /29 used for transport between the corporate network concentrator (which is the central and unique router for many rfc1918 networks) and the firewall cluster. Because it is only used for transport I had no outgoing NAT rule thus pfsense didn't start pftpx. I've just added a dumb NAT rule in order to make the pftpx start.

    Good thing to know in such a configuration.
    Hope this will help other people.



  • I made this a sticky.  Can you change the subject to something a bit more descriptive for future folks?  :)



  • @sullrich:

    I made this a sticky.  Can you change the subject to something a bit more descriptive for future folks?  :)

    Done



  • While we are talking about FTP Helper. I want to share another trick.

    When you have a WAN using a private subnet and a DMZ using a public subnet.
    You will certainly have an advanced outbound NAT rule that will NAT outgoing packets sourced from LAN with an IP address from the DMZ public subnet thus making the packet routable through Internet. Right, but what about FTP and Active FTP ? FTP helpers won't work because they will use your WAN IP Address, which is unreachable, inside FTP protocol. (eg. PORT command).

    To solve this:

    Edit the /etc/inc/config.inc file and go to line 1670 (in the 1.2 release), should looks like this one :

    mwexec("/usr/local/sbin/pftpx {$shaper_queue}-c {$port} -g 8021 {$ip}");

    Comment out this line and add this one:

    mwexec("/usr/local/sbin/pftpx {$shaper_queue}-c {$port} -g 8021 -p [PUBLICIPHERE]");

    Should work fine.

    I have 10+ boxes running like this since pfsense uses pftpx.


Locked