FTPS cannot get through



  • FTPS does not seem to get through when the ftp-helper is enabled. I get as far as the USER command then it stops.

    Status: Resolving IP-Address for mycomputer.gotdns.com
    Status: Connecting to MyIP:21…
    Status: Connection established, waiting for welcome message...
    Response: 220 This is a private FTP server. Unauthorized use is prohibited. All sessions
    Command: AUTH TLS
    Response: 234 Using authentication type TLS
    Status: Initializing TLS...
    Command: USER Administrator
    Error: Connection timed out
    Error: Could not connect to server

    If I add a rule to allow all ports & protocols for my IP and set the gateway as WAN then I cannot use FTP at all (when the ftp-proxy is enabled).

    Status: Resolving IP-Address for mycomputer.gotdns.com
    Status: Connecting to myip:21...
    Status: Connection established, waiting for welcome message...

    But, if I disable the ftp helper and leave the "Allow All" rule for me, then I can connect just fine. However, this breaks regular FTP for everyone else.

    Finally, if I simply allow just port 21 & 20 through and disable FTP proxy then I get this:
    Status: Resolving IP-Address for MyServer
    Status: Connecting to MyServer:21...
    Status: Connection established, waiting for welcome message...
    Response: 220 This is a private FTP server. Unauthorized use is prohibited. All sessions
    Command: AUTH TLS
    Response: 234 Using authentication type TLS
    Status: Initializing TLS...
    Command: USER Administrator
    Status: Verifying certificate...
    Status: TLS/SSL connection established.
    Response: 331 Password required for Administrator
    Command: PASS **********
    Response: 230 Logged on
    Command: SYST
    Response: 215 UNIX emulated by FileZilla
    Command: FEAT
    Response: 211-Features:
    Response: MDTM
    Response: REST STREAM
    Response: SIZE
    Response: MLST type*;size*;modify*;
    Response: MLSD
    Response: AUTH SSL
    Response: AUTH TLS
    Response: UTF8
    Response: CLNT
    Response: MFMT
    Response: 211 End
    Command: PBSZ 0
    Response: 200 PBSZ=0
    Command: PROT P
    Response: 200 Protection level set to P
    Status: Connected
    Status: Retrieving directory listing...
    Command: PWD
    Response: 257 "/" is current directory.
    Command: TYPE I
    Response: 200 Type set to I
    Command: PASV
    Response: 227 Entering Passive Mode (MyServer,191,105)
    Command: LIST
    Response: 425 Can't open data connection.

    I am sure this has been asked a million times, but I did a search for "FTPS" and I got a list of crap like "ftpserver", etc. Is there a way to search and return literally "FTPS"?





  • I tried using search (as I mentioned) but how would I find that article? Typing just FTPS into the search box does not work well. What would you recommend using to search?

    Thanks for the article, I will post my results.



  • Well ftps is not sftp.
    So anything that applies to ftp should also apply to ftps.

    If you just look at the communication it shouldnt look different than a normal ftp connection.
    Just the data channel is encoded.



  • There are some serious issues with how pfSense handles FTP traffic (of all types). You're right in that FTP & FTPS should operate the same, but they don't. I can only get FTP & SFTP or just FTPS to work at any given time.

    I've tried just about everything.

    Can you confirm yourself that you've gotten FTP, FTPS (explicit) and SFTP to work all at the same time without using an "Allow All" rule
    (i.e. *  LAN_Subnet  *  *  *  WAN2)?

    Thanks



  • I know pfSense is nothing like ISA…but one thing ISA does have that may be nice for pfSense is to have is secondary connections (or outbound port triggering?). That's how they get around this issue. You simply allow outbound port 20 & 21, then once they're established, ISA allows whatever ports specified (in most cases the whole range) as secondary connections to the same server.

    Whatever it is...the "Disable the userland FTP-Proxy application" seems to have some issues.



  • Well… Dont disable the ftp proxy.
    What you describe is exactly what the ftp proxy does.

    It just doesnt do it for SFTP since it isnt listening on port 22.

    But i can confirm that normal FTP and FTPS works.



  • Why not just make it an option for all rules rather than just FTP?



  • Do you know some possible things to look for that would interfere with this working?

    We have dual wan.
    We have multiple FTP servers tied to different virtual ips.


Log in to reply