Project

General

Profile

Bug #4210

Bring back a FTP proxy

Added by Daniel Cabral over 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
FTP proxy
Target version:
-
Start date:
01/13/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2.x
Affected Architecture:
All

Description

on 2.2-RC we noted that ftp helper is not working anymore, confirmed by another users on forum:

https://forum.pfsense.org/index.php?topic=86703.0

History

#1 Updated by Chris Buechler over 4 years ago

  • Status changed from New to Feedback
  • Target version changed from 2.2 to 2.2.1

not something we're looking into for 2.2 at this point

#2 Updated by Chris Buechler over 4 years ago

  • Target version changed from 2.2.1 to 2.2.2

#3 Updated by Reqlez Guy over 4 years ago

Interesting because i'm getting reports from vendors who refuse to change away from FTP that PASV mode is not working either ... can that even be possible ?

#4 Updated by Chris Buechler over 4 years ago

  • Subject changed from FTP connectivity by ftp proxy/kernel broken to Bring back a FTP proxy
  • Status changed from Feedback to Confirmed

check out the info here:
https://doc.pfsense.org/index.php/FTP_without_a_Proxy

it's always possible to support passive mode without a proxy, though it can require some additional configuration.

#5 Updated by Reqlez Guy over 4 years ago

Chris Buechler wrote:

check out the info here:
https://doc.pfsense.org/index.php/FTP_without_a_Proxy

it's always possible to support passive mode without a proxy, though it can require some additional configuration.

ohh... okay, so just by switching from Active Mode ( that requires the proxy ) to Passive doesn't make the clients behind NAT able to connect to an FTP server on the internet ?

#6 Updated by Reqlez Guy over 4 years ago

Chris Buechler wrote:

check out the info here:
https://doc.pfsense.org/index.php/FTP_without_a_Proxy

it's always possible to support passive mode without a proxy, though it can require some additional configuration.

NO wait ... i just read that page, it clearly says that a CLIENT behind pfsense router should be able to connect just fine unless there is a restrictive outbound policy ? is there a restrictive outbound policy by default on pfsense ?

#7 Updated by Chris Buechler over 4 years ago

In a completely default config, passive FTP clients will work fine. The default LAN rule permits what's necessary.

Please post to the forum or mailing list with info on your LAN firewall rules and specifics about what you're seeing if you have any further questions.

#8 Updated by Reqlez Guy about 4 years ago

Chris Buechler wrote:

In a completely default config, passive FTP clients will work fine. The default LAN rule permits what's necessary.

Please post to the forum or mailing list with info on your LAN firewall rules and specifics about what you're seeing if you have any further questions.

Confirmed Passive FTP working just fine ... Looks like quite a few of software vendors liked to use Active FTP it seems ... finding new "road blocks" every time I upgrade a router at a different client's location.

#9 Updated by Jim Pingle about 4 years ago

As a stop gap measure for the time being, I created a basic FTP Client Proxy package using ftp-proxy(8) from FreeBSD to help local clients connect to remote FTP servers using active FTP. It's available in packages now for testing.

#10 Updated by Daniel Cabral about 4 years ago

Thanks man! I'll test it. On forum a lot of people criticized the use of FTP, but as a legacy measure, we must keep it while legacy systems still in use.

#11 Updated by Chris Buechler about 4 years ago

  • Target version changed from 2.2.2 to 2.2.3

#12 Updated by Chris Buechler almost 4 years ago

  • Target version changed from 2.2.3 to 2.3

the FTP Proxy package suffices for 2.2.x. Should consider whether to build it in by default for 2.3 or future versions.

#13 Updated by Jérémy R over 3 years ago

If it suffices, please explain to me how I am supposed to setup pfsense / vsftpd so that :

- One FTP server is behind a PFSense
- This FTP server is accessible via WAN, and several other VLANs, via different IP addresses.
- The FTP server only has one real IP address, and the IP addresses as seen by the clients are NAT'ed by PFSense

The obvious issue here without FTP helper : the FTP server PASV reply always sends the same IP to connect to.

Please do not reply that FTP should not be used, I obviously agree that this pile of $*%! should have never been invented in the first place, but I also have to deal with obligations beyond my wills.

#14 Updated by Chris Buechler over 3 years ago

  • Status changed from Confirmed to Resolved
  • Target version deleted (2.3)
  • Affected Version changed from 2.2 to 2.2.x
  • Affected Architecture changed from amd64 to All

The FTP proxy package should suffice for those who need a FTP proxy.

#15 Updated by Jérémy R over 3 years ago

You're talking about the "FTP Client Proxy" package in the related section of the latest version of PFSense, right ?

It only suffices for those in need of a FTP proxy as a client.
For those of us using PFSense as something more than a home firewall, with a slightly complex network, there is a real need to bring a proper FTP proxy back to PFSense, even if it is disabled by default.

#16 Updated by David Justl over 3 years ago

I agree with Jérémy R. The FTP proxy is still needed to properly handle communication with an FTP server sitting behind a pfSense firewall.

Also available in: Atom PDF