• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

FTPS cannot get through

Scheduled Pinned Locked Moved NAT
9 Posts 2 Posters 9.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jsun9
    last edited by May 19, 2008, 9:57 PM May 7, 2008, 1:46 PM

    FTPS does not seem to get through when the ftp-helper is enabled. I get as far as the USER command then it stops.

    Status: Resolving IP-Address for mycomputer.gotdns.com
    Status: Connecting to MyIP:21…
    Status: Connection established, waiting for welcome message...
    Response: 220 This is a private FTP server. Unauthorized use is prohibited. All sessions
    Command: AUTH TLS
    Response: 234 Using authentication type TLS
    Status: Initializing TLS...
    Command: USER Administrator
    Error: Connection timed out
    Error: Could not connect to server

    If I add a rule to allow all ports & protocols for my IP and set the gateway as WAN then I cannot use FTP at all (when the ftp-proxy is enabled).

    Status: Resolving IP-Address for mycomputer.gotdns.com
    Status: Connecting to myip:21...
    Status: Connection established, waiting for welcome message...

    But, if I disable the ftp helper and leave the "Allow All" rule for me, then I can connect just fine. However, this breaks regular FTP for everyone else.

    Finally, if I simply allow just port 21 & 20 through and disable FTP proxy then I get this:
    Status: Resolving IP-Address for MyServer
    Status: Connecting to MyServer:21...
    Status: Connection established, waiting for welcome message...
    Response: 220 This is a private FTP server. Unauthorized use is prohibited. All sessions
    Command: AUTH TLS
    Response: 234 Using authentication type TLS
    Status: Initializing TLS...
    Command: USER Administrator
    Status: Verifying certificate...
    Status: TLS/SSL connection established.
    Response: 331 Password required for Administrator
    Command: PASS **********
    Response: 230 Logged on
    Command: SYST
    Response: 215 UNIX emulated by FileZilla
    Command: FEAT
    Response: 211-Features:
    Response: MDTM
    Response: REST STREAM
    Response: SIZE
    Response: MLST type*;size*;modify*;
    Response: MLSD
    Response: AUTH SSL
    Response: AUTH TLS
    Response: UTF8
    Response: CLNT
    Response: MFMT
    Response: 211 End
    Command: PBSZ 0
    Response: 200 PBSZ=0
    Command: PROT P
    Response: 200 Protection level set to P
    Status: Connected
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is current directory.
    Command: TYPE I
    Response: 200 Type set to I
    Command: PASV
    Response: 227 Entering Passive Mode (MyServer,191,105)
    Command: LIST
    Response: 425 Can't open data connection.

    I am sure this has been asked a million times, but I did a search for "FTPS" and I got a list of crap like "ftpserver", etc. Is there a way to search and return literally "FTPS"?

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by May 7, 2008, 2:20 PM

      Use the search:

      http://devwiki.pfsense.org/FTPTroubleShooting

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • J
        jsun9
        last edited by May 7, 2008, 3:42 PM

        I tried using search (as I mentioned) but how would I find that article? Typing just FTPS into the search box does not work well. What would you recommend using to search?

        Thanks for the article, I will post my results.

        1 Reply Last reply Reply Quote 0
        • G
          GruensFroeschli
          last edited by May 7, 2008, 3:59 PM

          Well ftps is not sftp.
          So anything that applies to ftp should also apply to ftps.

          If you just look at the communication it shouldnt look different than a normal ftp connection.
          Just the data channel is encoded.

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • J
            jsun9
            last edited by May 17, 2008, 5:03 PM

            There are some serious issues with how pfSense handles FTP traffic (of all types). You're right in that FTP & FTPS should operate the same, but they don't. I can only get FTP & SFTP or just FTPS to work at any given time.

            I've tried just about everything.

            Can you confirm yourself that you've gotten FTP, FTPS (explicit) and SFTP to work all at the same time without using an "Allow All" rule
            (i.e. *  LAN_Subnet  *  *  *  WAN2)?

            Thanks

            1 Reply Last reply Reply Quote 0
            • J
              jsun9
              last edited by May 19, 2008, 4:40 PM

              I know pfSense is nothing like ISA…but one thing ISA does have that may be nice for pfSense is to have is secondary connections (or outbound port triggering?). That's how they get around this issue. You simply allow outbound port 20 & 21, then once they're established, ISA allows whatever ports specified (in most cases the whole range) as secondary connections to the same server.

              Whatever it is...the "Disable the userland FTP-Proxy application" seems to have some issues.

              1 Reply Last reply Reply Quote 0
              • G
                GruensFroeschli
                last edited by May 20, 2008, 3:35 PM

                Well… Dont disable the ftp proxy.
                What you describe is exactly what the ftp proxy does.

                It just doesnt do it for SFTP since it isnt listening on port 22.

                But i can confirm that normal FTP and FTPS works.

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • J
                  jsun9
                  last edited by Jun 2, 2008, 5:57 PM

                  Why not just make it an option for all rules rather than just FTP?

                  1 Reply Last reply Reply Quote 0
                  • J
                    jsun9
                    last edited by Jun 12, 2008, 5:27 PM

                    Do you know some possible things to look for that would interfere with this working?

                    We have dual wan.
                    We have multiple FTP servers tied to different virtual ips.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received