Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ftp server

    Scheduled Pinned Locked Moved General pfSense Questions
    19 Posts 7 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      snoopy100
      last edited by

      Hello All,

      Does anyone know if the latest pfSense will support running an ftp server behind the firewall?  By this I mean using NAT and forwarding port 21 to the ftp server.

      I had this running, updated pfSense to 2.2.3, ftp clients could connect, but no transfer worked. I couldn't get it to work.

      Finally I went back to an older version of pfSense.

      So, does anyone have this working? On the latest?

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        https://doc.pfsense.org/index.php/FTP_without_a_Proxy

        1 Reply Last reply Reply Quote 0
        • KOMK Offline
          KOM
          last edited by

          I've been running a port-forwarded FTP server since 2.1.5.  Currently on 2.2.2.  Server works just fine.

          1 Reply Last reply Reply Quote 0
          • S Offline
            snoopy100
            last edited by

            I've been running a port-forwarded FTP server since 2.1.5.  Currently on 2.2.2.  Server works just fine.

            KOM,

            And you didn't have to do anything weird? Open other port ranges? Whatever?
            All you do is forward port 21 to your server behind the firewall?

            1 Reply Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan
              last edited by

              Before 2.2.2, you were using what version ?
              You read and applied what was mentioned here https://forum.pfsense.org/index.php?topic=97291.msg541876#msg541876 ?

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                Are the client connecting via active or passive ftp?  You need to understand the difference between the 2 when running firewall behind nat and firewall.  Especially if not helper/proxy to do the work for you.

                It becomes more difficult when the client is also behind nat and have issues with active or passive that limits what they can do.

                This is a great write up on active and passive
                http://slacksite.com/other/ftp.html

                Your best option is to move to sftp which only uses 1 port and is secure vs the very antiquated on its last legs protocol that is ftp.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • KOMK Offline
                  KOM
                  last edited by

                  All you do is forward port 21 to your server behind the firewall?

                  No, it's more complicated than that.  FTP uses more than just port 21/tcp.  If you're running in passive mode then you need to open up a lot more ports, depending on how busy your server is.  In my case, I have ports 20, 21, 30000-30100 forwarded.  My FTP passive config is set to use 30000-30100.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    What is the point of forwarding 20 kom?  In no scenario would there be traffic TO 20 from outside your network to your server.

                    Yes your serve might talk outbound from source port of 20, but there is no scenario that 20 would need to be inbound to your server as a destination port.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • KOMK Offline
                      KOM
                      last edited by

                      Port 20/tcp is the ftp data port (as I'm sure you're well aware), and when I was having this same type of issue a year ago as Snoopy is having, I opened it up during my troubleshooting.  I had assumed that uploads from the client to the server would require an unsolicited 20/tcp connection.  Once I got it all working, I didn't go back and play with it any further and break things.

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        doktornotor Banned
                        last edited by

                        Lets try again: http://slacksite.com/other/ftp.html

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Yeah as you can see from dok screenshot showing the pretty diagrams they have at link I provided 20 is only ever used as source port from the server to client in active mode.

                          Client hey server connect to me on port xyz..  This will be sourced from 20 on the server..  So that you could setup your firewall rules to allow your ftp server to go where it might want to go from 20.

                          I live this link as reference because it is such a great write up, and just amazes me how many people run and use ftp and don't really understand when and how connections are made active vs passive, etc.

                          It has become a very handy link for the forums here since they pulled out the helper/proxy - have to create the rules old school.. Can't just forward 21 to your server and have it work both active and passive ;)

                          If you don't mind me asking kom - why do you still have ftp??  It really should be killed off, with fire if you have too.  Its a horrific protocol when it comes to nat and firewalling to manage. Compared to simple sftp using 1 port.

                          They tried to fix the security issues with ftps, but now you just put the ports in a encrypted tunnel that the firewall an not see - so helpers are useless.  And so many broken clients/servers behind nat that they send their private IP for the data connection..  If it would just die it would be a good thing ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • KOMK Offline
                            KOM
                            last edited by

                            OK, it's fixed.  ARE YOU HAPPY NOW GUYS???  ;D

                            and just amazes me how many people run and use ftp and don't really understand

                            it's pretty simple: the average IT person is expected to be an expert on everything these days, which is impossible.  I fully admit I'm a jack of all IT trades and master of none.  I know enough to (usually) get by, but I must admit that my working knowledge of the exact sequence of FTP handshakes in sorely lacking…

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              I hear you - I am a jack of all trades IT guy myself.  This is mostly because I am interested in all of it :)  And also previous job required you have hands in all the cookie jars to keep the enterprise up, etc.

                              But I like to think of myself as master of all!!  While if you never ran into a issue with ftp I can see how you might have never had need to dive in.  But all it should take is one problem with ftp to dive in and get the details of how it works.

                              From a security standpoint of bringing up a server that would be open to the public as well - I would think you want to know, etc.

                              No real biggy, was more just curious to why even still running it.  I personally pointed it out not as a jab at you or anything - but for the next guy.. That is how fud gets to become so common, oh this great guy on tech forum said he forwarded 20 - so must be required, etc. etc.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • KOMK Offline
                                KOM
                                last edited by

                                I barely have 15 minutes to myself before my boss runs in with his latest whim so having time to really focus on something is hard where I am.

                                And no, I have no problems being corrected.  If I did, I wouldn't last long in these forums.  Nobody likes being wrong, but I try to keep my ego in check.  Please correct me each and every time I say something dumb.  I'm a big boy, I can take it, and I don't like misinformation either.

                                1 Reply Last reply Reply Quote 0
                                • S Offline
                                  snoopy100
                                  last edited by

                                  Guys,

                                  Thanks for all the info. I am (at the moment) running 2.1.4.

                                  To get the ftp server working I set up a NAT port forward, port 21 to our ftp server behind the firewall, works fine.

                                  Yes, I'm still using regular old ftp, we have a lot of machines out there using it, connecting to us,  and I don't have control over that part of things.

                                  I'm going to do some testing to see about getting it to work on the latest pfsense. The ftp server behind our firewall is a microsoft machine which I don't know too much about, but that may have to change.

                                  Thanks again, I'll report back.

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ Offline
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    Well version 2.1.4 I believe still has the ftp helper/proxy so that would be why just a forward of 21 would work.

                                    "I'm a big boy, I can take it, and I don't like misinformation either."

                                    And that should be everyone's in IT motto.. I feel the same way - we only get better when we learn something new, or get corrected if we take the wrong path and someone explains why its wrong path, etc..

                                    This is part of the reason I like doks post so much - direct and to the point, no pulling of any punches.  This is the fastest way to disseminate information if you ask me.  I don't need or want all the flowery speech.. If I have something wrong then say so - if I suggest something stupid, then say so.. etc.. etc..

                                    People quite often,  have over inflated egos and the sensitivity of a school girl on her period, just after her bff slept with her bf ;)

                                    case in point
                                    https://forum.pfsense.org/index.php?topic=97145.msg541903#msg541903

                                    You would think I slapped his mother or called his gf a fat whore ;)

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • S Offline
                                      snoopy100
                                      last edited by

                                      @johnpoz:

                                      Well version 2.1.4 I believe still has the ftp helper/proxy so that would be why just a forward of 21 would work.

                                      Yes, that's what I think too, which is why I went back to it.

                                      But KOM says he's running 2.2.2, just port forwarding and it works. So I'm going to do a little testing on that, make sure I can get it to work.

                                      Snoopy

                                      1 Reply Last reply Reply Quote 0
                                      • ? This user is from outside of this forum
                                        Guest
                                        last edited by

                                        @snoopy100
                                        Did you got it solved and up?

                                        1 Reply Last reply Reply Quote 0
                                        • F Offline
                                          firewalluser
                                          last edited by

                                          @KOM:

                                          OK, it's fixed.  ARE YOU HAPPY NOW GUYS???  ;D

                                          and just amazes me how many people run and use ftp and don't really understand

                                          it's pretty simple: the average IT person is expected to be an expert on everything these days, which is impossible.  I fully admit I'm a jack of all IT trades and master of none.  I know enough to (usually) get by, but I must admit that my working knowledge of the exact sequence of FTP handshakes in sorely lacking…

                                          Ultimately it boils down to what the programmers decided when writing what looks like a FTP server, the one's I've written even just work on port 21 as there was no need to support more than one connection at a time, in a scheduled time slot fashion.

                                          You dont always have to conform to industry standards if the customer requirements are different to others.

                                          The avg IT support person can up their game by learning to program as its the programmers who ultimately write the manuals the support people follow, so having a good overview of how everything works and then coding for them can be quite illuminating.

                                          Alpha/Beta testing can be useful for understanding the skill of other programmers, seeing the bugs and how quickly things get fixed to understand strengths/weaknesses of said programmers.

                                          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                          Asch Conformity, mainly the blind leading the blind.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.