On 13-11-26 06:13 PM, Marcus Limosani wrote:
It is all working wonderfully, except for FTP.
I can not establish a data connection to the server
(The server is running a private IP 1:1 NAT – and the Private IP FTP
is working fine, so I don’t believe it to be an issue with the server
itself)
[...]
The other troubling thing about trying to debug this is that even
though I have the firewall rule set to log, I NEVER see any traffic
logs for the IP / Ports.
Anyone have some FTP success out there?
You need to run an FTP proxy; regardless of active or passive mode,
*inbound* FTP does not understand how to traverse NAT. IIRC, pfSense has
one built in.
Read
https://doc.pfsense.org/index.php/Howto_setup_ftp_server_behind_pfsense
for details on what to do.
As noted at that page, there *is* an option for running a specified
range of ports, but you also will then need to perform step 3 (on the
Wiki, under Option 2) to convince your FTP server that it's own IP
address isn't its "real" IP address. Doing this will likely break
internal FTP clients... so there's downsides to both methods. Oh, and
you can't mix the two methods :-).
Short answer: inbound FTP and NAT (of any flavour) don't mix well.
The typical answer here is - don't NAT an FTP server. Put it on a DMZ
segment that isn't NAT'd. Or, if that's not possible, put it behind a
transparent-mode firewall (pfSense can do this). In any event, avoid
mixing (inbound) FTP and NAT as much as possible.
If you're determined to do this anyway, note the '-P' option for
pure-ftpd. From the readme:
- '-P <ip address or host name>': Force the specified IP address in reply to
a PASV/EPSV/SPSV command. If the server is behind a masquerading (NAT) box
that doesn't properly handle stateful FTP masquerading, put the ip address
of that box here. If you have a dynamic IP address, you can put the public
host name of your gateway, that will be resolved every time a new client will
connect.
There are other firewalls that can do transparent FTP proxying that
combines the best of both modes, but to the best of my knowledge, no
pf-based firewall (including pfSense) can do this. Some iptables-based
(i.e. Linux) firewalls can do this. Many commercial products can do
this, but not all.
--
-Adam Thompson
[email protected]
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
