FTP Clients behind pfsense 2.2
-
FTP Clients behind pfsense 2.2
I realize this dead horse has been beat in many other posts and I think I have read them all, but I would like some help with my situation.
Over the weekend we upgraded from 2.1.x to 2.2.2 and I found out that some automated processes that send data out to the internet via passive FTP are failing. As much as i would like to, I do not have the option to stop using FTP. Luckily there are only two public hosts that I need to focus on right now.
A little about my environment. We have two ISP connections in a Gateway Group. One is Tier 1 and the other is Tier 2. We have removed the default "allow all" rules on the LAN int and have only rules for specific outgoing traffic that specify the route group as the gateway.
I have an allow rule on the LAN interface for TCP port 21 that worked in 2.1, meaning clients inside were able to access FTP servers on the public side using a passive connection.
After the upgrade I have tried adding Rules that allow all TCP ports from LAN->WAN to the specific hosts I'm trying to connect to but my clients are still failing when trying to open a data connection.
I do not see any entries for the blocked packets in Status->System Logs->Firewall, but when I do a packet capture filtering by the destination host I can see the packets.
Here is the output from Filezilla
Status: Connecting to [i]remote_ip[/i]:21... Status: Connection established, waiting for welcome message... Response: 220 Serv-U FTP Server v15.0 ready... Command: USER ****** Response: 331 User name okay, need password. Command: PASS ******* Response: 230 User logged in, proceed. Command: CLNT FileZilla Response: 200 Noted. Command: OPTS UTF8 ON Response: 200 OPTS UTF8 is set to ON. Command: OPTS MLST type;size;modify;perm; Response: 200 MLST OPTS Type;Size;Modify;Perm; Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/" is current directory. Command: TYPE I Response: 200 Type set to I. Command: PORT ##,###,#,###,68,61 Response: 200 PORT command successful. Command: MLSD Response: 150 Opening BINARY mode data connection for MLSD. Error: Connection timed out after 20 seconds of inactivity Error: Failed to retrieve directory listingAm I correct in my understanding of the ftp-proxy package is only effective for active FTP sessions? If not do I need to do anything other than installing package to get it to pickup passive FTP sessions?
Does anyone have Passive FTP working in a multi-wan environment without the default allow all rules on the LAN? Can you give me some tips on how you got it to work?
Also, I think it is interesting that this change was not mentioned in the "New Features & Changes"
https://doc.pfsense.org/index.php/2.2_New_Features_and_Changes
and
https://doc.pfsense.org/index.php/2.2.2_New_Features_and_Changes
I can only find it here https://doc.pfsense.org/index.php/FTP_without_a_Proxy
Thank you for your time
Rob -
There is no passive mode being used, nowhere in that log. Active mode client needs the proxy. Read the article you already linked.
-
@doktornotor, your post is not helpful. I have read the article many times along with any other forum posts I could find on this subject before I posted. I think it would be more productive to ask question about details I might have left out or to elaborate on the configuration of my installation if there is any doubt.
You are correct, there is no passive mode being used, anywhere in my log. I was making a lot of changes during my testing must have captured the log while the profile was set to active. I can post a log where a passive session is failing, but at this point we already know that passive FTP will not work without the default 'allow all IPv4' rules on the LAN as defined in the article you so eloquently asked me to reread.
Passive mode on the client will require access to random/high ports outbound, which could run afoul of a strict outbound ruleset.
Active mode FTP through NAT will not function as that relies on a proxy or similar mechanism. Use Passive mode instead. Another option is the recently added FTP Client Proxy package which leverages ftp-proxy in FreeBSD to allow clients on local interfaces to reach remote FTP servers with active FTP.
In that case, since the ftp-proxy package is installed in it's default configuration associated with the LAN interface, why is it not proxying this connection? What rules do I need to allow the ftp-proxy to see this traffic? Do I need to setup a NAT from 21 to 8021 so the service sees the traffic?
What other information can I provide?
Thank you
Rob -
we already know that passive FTP will not work without the default 'allow all IPv4' rules on the LAN
When you are shooting yourself in foot with outgoing LAN traffic restrictions, you are on your own. (Also, nowhere mentioned in the OP. Also, posting completely misleading log is not helpful.)
What rules do I need to allow the ftp-proxy to see this traffic? Do I need to setup a NAT from 21 to 8021 so the service sees the traffic?
None. Passive FTP client works just fine out of the box until you start "fixing" your default LAN rules. Active FTP client works just fine with the proxy, yet again, until you start "improving" your LAN rules for outbound traffic.
P.S. The proxy obviously does NOT work for encrypted FTP (SSL/TLS).
-
…
Does anyone have Passive FTP working [in a multi-wan environment] without the default allow all rules on the LAN? Can you give me some tips on how you got it to work?
…Specified PASS
IPv4 TCP LAN net * * 21 * none
IPv4 TCP LAN net * * 1024 - 65535 * none / logged