FTP is a nasty beast. There’s active, passive, and extended passive
connections. You may need a client that does extended passive (epsv?) to work
properly. Standard passive will hand back the server’s IP & data port over the
control connection, so unless PFSense is altering the packets as they leave, or
ProFTPd knows that it needs to respond to that IP range with a masqueraded IP,
standard passive will get hung up.
FTP (anything other than extended passive mode) really wants to use routable
IPs. FTP is not naturally compatible with NAT, or IPv6. Extended passive is
the proper solution. an ftp proxy is what the linux guys usually do, as
iptables has a module for that.
sftp is my preferred solution. Death to FTP.
ED.
> On 2015, Jul 7, at 12:45 PM, Ryan Coleman <[email protected]> wrote:
>
> No port forwarding. Just 1:1 and Rules.
>
> ProFTPd is told to use port 9000. That works perfectly internally.
>
> Rules set up to allow port 9000 out through the firewall. Connection happens
> - but no directory structure is delivered.
> This is working for other services on the internal server including Apache.
>
>
>> On Jul 6, 2015, at 10:35 PM, Jim Pingle <[email protected]> wrote:
>>
>> On 7/6/2015 7:59 PM, Ryan Coleman wrote:
>>> Using 1:1 has turned most of my knowledge in pfSense completely useless. I
>>> feel like a beginner again.
>>>
>>> FTP worked on port 21. But for security reasons I do not want it there so I
>>> moved it to port 9000.
>>>
>>> ProFTPd is set up for Masquerading on its 1:1 IP, passive ports are
>>> dictated in the conf (49500-52500) and configured as such in the Firewall
>>> Rules. Firewall Rules also have port 8999-9001 open for the FTP server.
>>>
>>> FTP works internal to the network so the issue isn’t in the configuration
>>> of ftp server but in the configuration of the firewall.
>>
>> Seems the actual question/problem statement is missing. What exactly
>> isn't working?
>>
>> Did you actually change the binding port in ProFTPd or did you redirect
>> 21 to 9000 with a port forward?
>>
>> If you mix 1:1 NAT and port forwards you will find a couple things you
>> may not expect due to the way pf works and how NAT happens before
>> firewall rules:
>>
>> 1. Port forwards override 1:1 NAT, which is good for doing what you want
>>
>> -but-
>>
>> 2. If you forward a different port (e.g. 9000 to 21) your rule still
>> passes to the local IP on port 21 so BOTH ports are actually accessible.
>> In other words, you can't relocate a port and block access to the
>> original port.
>>
>> Changing the binding in ProFTPd to 9000 should work around that.
>>
>> If that's what you did, then your rule would pass to the local IP on
>> port 9000.
>>
>> If that doesn't help, give us a bit more detail about the exact NAT and
>> firewall rules you have and what isn't working as expected. Include
>> firewall logs, states for the test connections, and perhaps a packet
>> capture.
>>
>> Jim
>> _______________________________________________
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
