PfSense 2.2.3 and FTP Client Proxy Package 0.2



  • Hi

    I guess there is a ton of posts on this already. But I can't figure it out.

    I have a problem with our pfSense 2.2.3 installation. I installed the FTP Client Proxy package and tried to connect to an FTP server outside the LAN. Internet connection in general is working fine.

    The package is enabled for the LAN interfave. What else do I need to configure? The connection is not beeing established from our FTP client.

    Is there any instruction on how to configure the Proxy?

    Thanks a lot for your help

    szst


  • Banned



  • Unfortunately it did not do the trick for me. I read the whole thing and configured it as described in the posts by the guys that solved the problem but on my end it did not work at all.

    I have a single WAN single LAN Setup. With an FTP Server outside of my network.

    Enabled the Proxy FTP Proxy Service
    Choose the LAN interface
    The Log is active
    and left everything empty as described in the sticky post.

    I also tried the settings with the port binding and the WAN IP in the configuration of the FTP Client Proxy.

    In the system logs I can only see thet the fpt-proxy is listening.

    any other suggestions?


  • Banned

    Let me restate this for the zillionth time: The package is ONLY useful for FTP CLIENTS behind pfSense using ACTIVE FTP with IPv4. For nothing else. Now, provide some logs from your FTP client about what does not work.



  • ACTIVE FTP only? sure?

    "It should also help those with a strict LAN ruleset and passive outbound clients." (jimp)
    https://forum.pfsense.org/index.php?topic=89841.msg497299#msg497299

    my ftp-proxy works with passive FTP clients too… NOW (i have a strict LAN ruleset)
    But it took me some time to get it work and i don't know if i found the problem.
    I use pfSense 2.2.3 64 bit - and after i changed my network card for LAN from Marvell Yukon Ultra OnBoard (msk0) to another, non-Marvell Interface (vr0), it worked.
    Changing back LAN to msk0 - no ftp.
    Changing LAN again to vr0 - ftp works.
    So are there still people having problems with ftp-proxy? Which type of network card do you use?


  • Banned

    Sure; when you shoot yourself in foot first with blocking 1024+ ports…. No proxy has ever been needed for passive FTP.



  • Then my ftp-proxy is broken - it works, but it shouldn't…  ;)

    Yes it isn't needed without strict ruleset - but i have one.

    So you didn't block +1024 ports. Thats default, not blocking anything going outside. That will work very well on some networks, most private ones.

    At some places of action I - or the customer - want restrict using (inter)net - f.e. restricted access between locations, no Gaming, no RDP, no TS, no..... for reasons like security (yes, FTP and security, dict.cc translate it to "fit occasion"), bandwidth using, ppl should work not play etc

    So what should I do then?


  • Banned

    Look. You already have shitty protocol to deal with. Allow the required passive ports range as used on the server and move on. This is absolutely required with encrypted FTP anyway – which is pretty much the only FTP variant you should ever use. Sending credentials in cleartext has zero security. Also, there you need no proxy, because it just does not work at all since it cannot see the encrypted traffic.



  • yeah ftp its crap. oldschool. out. unsecure. I know that - but i have to deal with the situations.

    there are still webhoster where u can reach the website ONLY by ftp.
    and there are customers that use their crappy old website building program that only understand ftp to transfer the new sites.
    i don't know the passive port range from every webhoster.

    but that isn't the point here  ;)

    either the doktor scared szst away or he found a solution or whatever… so everybody is happy with ftp-proxy?


  • Banned

    So allow any port to the webhoster's FTP server only, if they insist on restricting other traffic. If they send their credentials like this, they'll just have the website defaced sooner or later.


Log in to reply