Re: [pfSense-discussion] FTP Helper on WAN - bug?

[Peter Allgeyer]

Hi Scott!

Am Sonntag, den 01.10.2006, 14:23 -0400 schrieb Scott Ullrich:
> On 10/1/06, Peter Allgeyer <[EMAIL PROTECTED]> wrote:
> > To sum up: In system_start_ftp_helpers() the FTP-Helper isn't started
> > for the WAN interface.
> 
> Yes it is, it is started out of the NAT redirect section.  Here is an example:
> 
> proxy     597  0.0  0.1   656   232  ??  Ss   18Sep06   0:11.64
> /usr/local/sbin/pftpx -f 10.0.0.180 -b XXX.XXXX.81.16 -c 21 -g 21

> Pftpx listens on the external address, port 21 and forwards (in this
> case) all ftp related items it sees to 10.0.0.180.

But that only works with port forwarding, right? What about an FTP
server listening on 62.13.14.55 instead of 10.0.0.180? Ok, I can try to
configure a redirection rule (port forwarding) for that. Does it also
work for more than one FTP-server?

Iface  Ext IP        Ext Port  Nat IP       Local Port
WAN    62.13.14.55   21        62.13.14.55  21
WAN    62.13.14.56   21        62.13.14.56  21
WAN    62.13.14.57   21        62.13.14.57  21

Have to test this, but don't think that it'll work, because the
FTP-Helper always tries to listen to 127.0.0.1:21. You'll get a "bind
failed: port or address already in use". The right way to launch the
FTP-helper in that case would be:

/usr/local/sbin/pftpx -s EXT_IP 
                      -f NAT_IP
                      -b CLIENT_IP
                      -c EXT_PORT
                      -g LOCAL_PORT

Hmm, no really good design, if I need port forwarding for public
reachable IP addresses. Isn't there any better way?

> > So is it possible to configure another source IP for pftpx anywhere in
> > pfsense? A hidden option for that seldom case (maybe it's also an
> > advantage in case of virtual IPs - carp for example) would be fine.
> 
> Use <shellcmd>.

Do you mean setting something like this:

---< schnipp >---
<earlyshellcmd>ps waux | grep "/usr/local/sbin/pftpx -c 8021" | grep -v
grep | awk '{print $2}' | xargs /bin/kill</earlyshellcmd>

<earlyshellcmd>/usr/local/sbin/pftpx -c 8021 -g 8021 -p 62.13.14.58
192.168.96.2</earlyshellcmd>
---< schnapp >---

There 62.13.14.58 is the proxy source IP (DMZ interface) and
192.168.96.2 is the internal (LAN) interface IP.

Would be possible in this special case. I do prefer a cleaner way with a
hidden or an advanced option. Are you accepting any patches for this
issue?

BR, PIT


---------------------------------------------------------------------------
 copyleft(c) by |           Problem solving under Linux has never been
 Peter Allgeyer |   _-_     the circus that it is under AIX.   -- Pete
                | 0(o_o)0   Ehlke in comp.unix.aix
---------------oOO--(_)--OOo-----------------------------------------------