Bug #1177
closedPassive FTP
Added by Martin Klein almost 14 years ago. Updated almost 14 years ago.
0%
Description
On a Thu Jan 6 02:48:15 EST 2011 Snapshot
I am no longer able to connect to an internal
ftp server using pasv mode. (login ok ls etc. -> timeout)
My guess is a problem with the ftp helper.
Reverting to a Wed Dec 29 18:28:41 EST 2010 Snapshot
fixes the problem.
Maybe this commit is responsible:
9802e7afd0f7332bcd224727216eb8149e5642fe
btw. when i try to open the diff in redmine
i get a : The entry or revision was not found in the repository.
(http://redmine.pfsense.org/projects/pfsense-tools/repository/revisions/9802e7afd0f7332bcd224727216eb8149e5642fe/diff/patches/RELENG_8_1/nat_ftphelper.RELENG_8.diff)
Files
client.pcap (3.3 KB) client.pcap | FTP Client Traffic | Martin Klein, 01/09/2011 11:49 AM | |
server.pcap (5.17 KB) server.pcap | FTP Server Traffic | Martin Klein, 01/09/2011 11:49 AM | |
packetcapture.htm (327 KB) packetcapture.htm | PacketCapture | Branko Lukman, 01/18/2011 06:12 AM |
Updated by Ermal Luçi almost 14 years ago
Please post packet traces on both sides of the connection.
And the 7 snapshot has another fix in that area so try with it too.
Updated by Martin Klein almost 14 years ago
- File client.pcap client.pcap added
- File server.pcap server.pcap added
To your First Question using 8.01 snapshot the
problem still exists.
Attached are pcap files (passwords/usernames edited)
for the folowing scenario:
Client (192.168.3.13) <-> WAN PfSense LAN <-> Server (81.16.54.28)
Yes in my Scenario the 192.168.3.0 network is not nated and on the outside
interface, the same problem occures when the client is a "real" ip.
Updated by Ermal Luçi almost 14 years ago
- Status changed from New to Feedback
Try a snapshot newer than this post which should fix the issues.
Updated by Branko Lukman almost 14 years ago
Running 2.0-BETA5 (i386)
built on Mon Jan 17 19:56:49 EST 2011 with NAT and 2 external interfaces. Port 21 forwarded to internal Ip.
Logon succesful, runing ok in active mode. When switching to passive mode i get a timeout.
Bug is stil there .....
Updated by Michael Heller almost 14 years ago
same here.
internal passive ftp with any rules doesen't work either.
Running 2.0-BETA5 (i386)
builtonMon Jan 17 21:39:59 EST 2011
Updated by Blaise Hurtlin almost 14 years ago
I can confirm this bug. The same appens here, passive FTP does not work (build of Jan 16 2011)
Updated by Ermal Luçi almost 14 years ago
Can you be more specific if the rdr to internal server of passive ftp does not work or normal client behind nat passive ftp does not work?
Updated by Blaise Hurtlin almost 14 years ago
Normal clients behind nat. The FTP server is behind a nat too (pfsense).
Clients can connect without any problem, but the "ls" times out.
Client are seing the correct pasv address/port modified by pfsense, but the connection is not possible.
Updated by Michael Heller almost 14 years ago
my ftp server is located behind opt interface of pfsense (dmz)
the clients from LAN side cannot connect with passive ftp and the same behaviour when trying to connect from WAN side.
If I analyze the traces and telnet to the offered port from passive ftp quickly, I get the output of the list command. (which normally times out by any ftp tool)
Updated by Michael Heller almost 14 years ago
Michael Heller wrote:
my ftp server is located behind opt interface of pfsense (dmz)
the clients from LAN side cannot connect with passive ftp and the same behaviour when trying to connect from WAN side.If I analyze the traces and telnet to the offered port from passive ftp quickly, I get the output of the list command. (which normally times out by any ftp tool)
outgoing passive works seamless.
Updated by Branko Lukman almost 14 years ago
- File packetcapture.htm packetcapture.htm added
Clients from internal network to oudside ftp servers are working without problems.
CLient connecting from the internet can log on, but passive mode fails.
Attaching PacketCapture..
Updated by Michael Heller almost 14 years ago
the last snapshot
built on Jan 18 04:33:29 EST
is working for me.
Updated by Branko Lukman almost 14 years ago
2.0-BETA5 (i386)
built on Tue Jan 18 03:34:33 EST 2011
confirmed.. FTP helper is working..
Updated by Michael Heller almost 14 years ago
after some heavy tests I found out that there are a lot of connections droped by the default deny rule!
This finally delays the transfer for a long time. But succeed at the end.
block
Jan 18 21:27:39 OPT1 x.x.x.5:65003 x.x.x.10:42498 TCP:SA
block
Jan 18 21:27:38 OPT1 x.x.x1.5:65003 x.x.x.10:42498 TCP:SA
block
Jan 18 21:27:35 OPT1 x.x.x.5:65003 x.x.x.10:42498 TCP:SA
block
Jan 18 21:26:56 OPT1 x.x.x.5:65001 x.x.x.10:52724 TCP:SA
block
Jan 18 21:26:32 LAN x.x.x.5:65000 x.x.x.10:44968 TCP:SA
block
Jan 18 21:26:05 LAN x.x.x.5:65001 x.x.x.10:52724 TCP:SA
on the other hand I had a lot of problems to update this thread because of blocked traffic either!
block
Jan 18 21:55:47 LAN x.x.x.10:49375 62.2.27.17:80 TCP:FPA
block
Jan 18 21:55:19 LAN x.x.x.10:49375 62.2.27.17:80 TCP:FPA
Updated by Lee Thornhill almost 14 years ago
Testing with a client behind pfsense using Tue Jan 18 03:34:33. FTP helper takes down box when re-initializing a previously opened connection.
http://forum.pfsense.org/index.php/topic,31983.msg167162.html#msg167162
Updated by Lee Thornhill almost 14 years ago
Also only able to retrieve the directory listing on the second try.
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (204,152,184,73,163,175).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
Status: Resolving address of ftp.freebsd.org
...
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (204,152,184,73,77,241).
Command: LIST
Response: 150 Here comes the directory listing.
Response: 226 Directory send OK.
Status: Directory listing successful
Updated by Lee Thornhill almost 14 years ago
Same problems as I reported before using the i386 Wed Jan 19 11:47:04 build.
With testing tonight I was 3 for 3 on crashing the system. The number of FTP connection attempts required varies (3-10) but I can crash the machine every time.
Updated by Lee Thornhill almost 14 years ago
was running the SMP kernel
loaded the developer's kernel -> solid, cannot duplicate the crashes
Updated by Lee Thornhill almost 14 years ago
loaded the developer's kernel -> solid, cannot duplicate the crashes
Nope just takes more tries to bring it down.
Have backtrace if needed.
Updated by Jim Pingle almost 14 years ago
There were some changes to the patches this afternoon. Grab the next snap that comes out (it's almost done building now, or should be) and try it again there.
Updated by Lee Thornhill almost 14 years ago
Updated to Fri Jan 21 06:52:27. Sorry, still no love. The number of tries before failure is inconsistent. After updating it crashed on the very first FTP connection attempt. Second time I loaded the dev kernel and really had to hammer it, 15-20 tries. Third time, less than 10.
All the boot and debugger output is logged. I can offer any data or configuration changes you need to help get this solved. Just ask.
Updated by Michael Heller almost 14 years ago
yes, the same behaviour for me.
still getting a lot of timeout/reconnets.
on thre other hand it looks much better by ftping internally.
Updated by Lee Thornhill almost 14 years ago
Looks like FTP is working better with build from Tue Jan 25 06:07:53. Did not get a chance to really hammer on it. The connection occasionally hangs on LIST but no lockups.
Updated by Blaise Hurtlin almost 14 years ago
Really ? On my side, it's still the same.. can't perform "LIST" command from WAN...
Updated by Ermal Luçi almost 14 years ago
Just committed the final fix which should fix the issues and prevent hangs.
Updated by Michael Heller almost 14 years ago
Yeah, this looks pretty good!
thnx
Updated by Ermal Luçi almost 14 years ago
- Status changed from Feedback to Resolved
Updated by Blaise Hurtlin almost 14 years ago
With 2.0-BETA5 (amd64)built on Thu Feb 3 22:33:00 EST 2011, it's not resolved. The LIST command times out from FTP client on WAN...
Updated by Lee Thornhill almost 14 years ago
No problems for the last several builds. Thank you!
Updated by Martin Klein almost 14 years ago
Been running recent builds on i386 and
no problems so far.
Thank You for your Work.