Ftp from pfense 2.2.4



  • Hello I cannot ftp from inside the wan to our alarm company.

    I keep getting the  504 Invalid PORT address. I added a nat rull show in the screen shot

    G:>ftp
    ftp> open 63.246.24.57
    Connected to 63.246.24.57.
    220 Development X2 WS_FTP Server 5.0.4 (682877313)
    User (63.246.24.57:(none)): *****
    331 Password required
    Password:
    230 user logged in
    ftp> put l:\Tasks\alarmdata.txt
    504 Invalid PORT address


    ![LAN RULES.PNG](/public/imported_attachments/1/LAN RULES.PNG)
    ![LAN RULES.PNG_thumb](/public/imported_attachments/1/LAN RULES.PNG_thumb)


  • LAYER 8 Global Moderator

    so this ftp server is PUBLIC on the internet.. Not behind your pfsense with clients on the internet..

    If that is the case why are you forwarding 20-21 to anything?  Why do you have a rule for 20-21 when you already have a any any rule??

    so windows built in ftp client is active only.. So that means the server would talk to you on some random port your client gave the server from a source port of 20..  Pfsense no longer has a ftp helper.  You can look to the packages for the helper that was added to the packages.

    But it would be easier to just use passive..  This means server gives you an IP and port to connect too, and your any any rule would allow you to talk to that..  Pretty much any ftp client supports this, filezilla for example.. MS ftp client is just really pretty broken and only supports active..



  • Hi,

    I have similar problem but just after PORT command I am getting 10054 error (connection reset by peer) - using Active FTP. Someone advised me to open 20,21,23 ports, but I don't think it would help ?

    Hos can I get Active FTP working through pfSense firewall?

    Thanks!


  • Banned

    Stop using the MS ftp.exe client clusterfuck that only can do active FTP. Extremely simple.

    https://doc.pfsense.org/index.php/FTP_without_a_Proxy


  • LAYER 8 Global Moderator

    "Someone advised me to open 20,21,23 ports, but I don't think it would help ?"

    Your someone is an IDIOT/MORON when it comes to how ftp works – do not ask them further IT questions would be my suggestion to you..  What he should of told you is he didn't have a clue but it might have something to do with ports not being open.

    20 is the source port the server would use in the data connection to you if using active ftp, opening /forwarding that port to you is freaking pointless, 23 is TELNET -- WTF???  21 is the control channel.. Are you running a server behind pfsense?  Then yes 21 would need to be sent inbound..

    Why don't you just use passive to connect to server outside pfsense...  This the servers says hey connect to me on port X for the data channel..  You don't need to open anything, unless you have your outbound ports restricted, which sure is not the case out of the box for pfsense.

    For active connection you need to know what Ports your client is going to tell the server to connect to you with and forward those ports to your client...  So in example the attached shows that my ftp client for active connections would use a port between 6000 to 7000.  So I would have to forward those ports in to the IP of my box..  Also you need to make sure your client is reporting your actual PUBLIC IP and not your private.. Which is most likely the case when you sent the serve the port command and it was your private IP it errors saying can not connect to a private IP, your not connected to me from one, etc..

    Or just use the ftp proxy package that does this for you for active connections..  See the link that dok provided...




  • Hi All,

    @johnpoz:

    Fully agree with You - but I can't win with them, they are like "YES IT IS! - FULL STOP!". Unfortunately software is developed by them - Its not something like filezilla, Total Commander etc. Option in their software to use passive FTP just doesn't work, but no any other their customers complain (because they are just behind some gateways etc.) and they are not going to fix it just for me, only if I would pay for extra development.

    Any way - I found solution; Package called FTP Client Proxy just solved my problem.

    Thanks for attention and Your time.


  • LAYER 8 Global Moderator

    So your saying passive doesn't work.. Did you see what commands were sent, can you sniff and see what your getting for passive?


  • Banned

    Passive doesn't work because MS ftp.exe does NOT support any such thing as passive FTP. So, of course it does not work. If someone builds an application upon that, the application is broken by design. FULL STOP!


  • LAYER 8 Global Moderator

    Yeah with dok here, looks to me your just using the windows based ftp client

    G:>ftp
    ftp> open 63.246.24.57

    That does not support passive..  Nor does it allow for alter of the ports it would use in the active connection AFAIK..  Maybe you could do something in the reg?  So yeah the helper package for active connections would be really only option.. It looks at the port the client is telling the server to connect to and creating the forward on the fly for the data connection to work.



  • So your saying passive doesn't work.. Did you see what commands were sent, can you sniff and see what your getting for passive?

    Its catching error 10054 (connection reset by peer) just after PORT 192,168,1,x,xxx,xxx - which is understandable for me because FW is not configured to forward ports coming back (xxx,xxx in HEX). But I just answer the guys - I am not going to open all ports in FW because it will be useless having FW and only because they don't care to fix "Use external FTP client" tick box - this option in their software becomes always unticked after reload config or application. If they really using MS ftp then I can understand they cant fix it just like that, but they would attach another small client like ncftp or even ncftpput which would do the job just like that. Lazy buggers.


  • LAYER 8 Global Moderator

    ""Use external FTP client""

    What does that even mean.. Doesn't say passive..

    PORT command is not passive, that is active.. Yeah your client is say hey come talk to me at 192.168.1.? port x*256+x

    If your client does not support passive, and you can not control the ports it use in active like what I posted.. Nor what IP it gives to the server then yeah your only solution is the helper..  Why do you use this company if their software is crap and uses deprecated protocol like ftp.. Sure hope your not sending any sort of personal/proprietary info in whatever your sending because its clearly in the clear with ftp, since your clearly not even using ftps or ftpes..

    These companies will not get it until people fight back with their $ find a different company that does whatever it is they do…



  • "Use external FTP client" - According to them it is supposed to go through passive, but it doesn't work and this is the problem. Error 10054 is in logs and it proves that is using Active instead Passive even when "Use external FTP client" is ticked.

    The problem is we producing something for another company which is using software from another company - we are in the middle and basically we can't do anything. To have contract keep going we have to agree for the things which they ask for. Our contractor was complaining he has no reports, we answer that software is faulty, contractor contact software company and they come back to us to open ports in firewall - this is all story in very short wording.

    Any way - problem is sorted using FTP Client proxy and we can close this conversation.

    Thanks for all.



  • I figured it out. I used a different program called uftp


Log in to reply