Bug #4210
closedBring back a FTP proxy
0%
Description
on 2.2-RC we noted that ftp helper is not working anymore, confirmed by another users on forum:
Updated by Chris Buechler almost 10 years ago
- Status changed from New to Feedback
- Target version changed from 2.2 to 2.2.1
not something we're looking into for 2.2 at this point
Updated by Chris Buechler almost 10 years ago
- Target version changed from 2.2.1 to 2.2.2
Updated by Reqlez Guy almost 10 years ago
Interesting because i'm getting reports from vendors who refuse to change away from FTP that PASV mode is not working either ... can that even be possible ?
Updated by Chris Buechler almost 10 years ago
- Subject changed from FTP connectivity by ftp proxy/kernel broken to Bring back a FTP proxy
- Status changed from Feedback to Confirmed
check out the info here:
https://doc.pfsense.org/index.php/FTP_without_a_Proxy
it's always possible to support passive mode without a proxy, though it can require some additional configuration.
Updated by Reqlez Guy almost 10 years ago
Chris Buechler wrote:
check out the info here:
https://doc.pfsense.org/index.php/FTP_without_a_Proxyit's always possible to support passive mode without a proxy, though it can require some additional configuration.
ohh... okay, so just by switching from Active Mode ( that requires the proxy ) to Passive doesn't make the clients behind NAT able to connect to an FTP server on the internet ?
Updated by Reqlez Guy almost 10 years ago
Chris Buechler wrote:
check out the info here:
https://doc.pfsense.org/index.php/FTP_without_a_Proxyit's always possible to support passive mode without a proxy, though it can require some additional configuration.
NO wait ... i just read that page, it clearly says that a CLIENT behind pfsense router should be able to connect just fine unless there is a restrictive outbound policy ? is there a restrictive outbound policy by default on pfsense ?
Updated by Chris Buechler almost 10 years ago
In a completely default config, passive FTP clients will work fine. The default LAN rule permits what's necessary.
Please post to the forum or mailing list with info on your LAN firewall rules and specifics about what you're seeing if you have any further questions.
Updated by Reqlez Guy almost 10 years ago
Chris Buechler wrote:
In a completely default config, passive FTP clients will work fine. The default LAN rule permits what's necessary.
Please post to the forum or mailing list with info on your LAN firewall rules and specifics about what you're seeing if you have any further questions.
Confirmed Passive FTP working just fine ... Looks like quite a few of software vendors liked to use Active FTP it seems ... finding new "road blocks" every time I upgrade a router at a different client's location.
Updated by Jim Pingle almost 10 years ago
As a stop gap measure for the time being, I created a basic FTP Client Proxy package using ftp-proxy(8) from FreeBSD to help local clients connect to remote FTP servers using active FTP. It's available in packages now for testing.
Updated by Daniel Cabral almost 10 years ago
Thanks man! I'll test it. On forum a lot of people criticized the use of FTP, but as a legacy measure, we must keep it while legacy systems still in use.
Updated by Chris Buechler over 9 years ago
- Target version changed from 2.2.2 to 2.2.3
Updated by Chris Buechler over 9 years ago
- Target version changed from 2.2.3 to 2.3
the FTP Proxy package suffices for 2.2.x. Should consider whether to build it in by default for 2.3 or future versions.
Updated by Jérémy R over 9 years ago
If it suffices, please explain to me how I am supposed to setup pfsense / vsftpd so that :
- One FTP server is behind a PFSense
- This FTP server is accessible via WAN, and several other VLANs, via different IP addresses.
- The FTP server only has one real IP address, and the IP addresses as seen by the clients are NAT'ed by PFSense
The obvious issue here without FTP helper : the FTP server PASV reply always sends the same IP to connect to.
Please do not reply that FTP should not be used, I obviously agree that this pile of $*%! should have never been invented in the first place, but I also have to deal with obligations beyond my wills.
Updated by Chris Buechler over 9 years ago
- Status changed from Confirmed to Resolved
- Target version deleted (
2.3) - Affected Version changed from 2.2 to 2.2.x
- Affected Architecture All added
- Affected Architecture deleted (
amd64)
The FTP proxy package should suffice for those who need a FTP proxy.
Updated by Jérémy R over 9 years ago
You're talking about the "FTP Client Proxy" package in the related section of the latest version of PFSense, right ?
It only suffices for those in need of a FTP proxy as a client.
For those of us using PFSense as something more than a home firewall, with a slightly complex network, there is a real need to bring a proper FTP proxy back to PFSense, even if it is disabled by default.
Updated by David Justl about 9 years ago
I agree with Jérémy R. The FTP proxy is still needed to properly handle communication with an FTP server sitting behind a pfSense firewall.