Re: [pfSense] FTP trouble.

[Kevin Tollison]

I ran into this issue with a couple of sites using ftp on an as400. Even
opened a ticket with pfSense support. Was never able to resolve it. Sites
are unfortunately still running 2.1.5. Anything in the 2.2 series and ftp
fails immediately.

as400 vendor is working on a sftp or ftps update and has been for 9 months.
I gave up on trying to pass that traffic on pfSense 2.2

Support kept sending me back to this document.
https://doc.pfsense.org/index.php/FTP_without_a_Proxy

On Thu, Feb 11, 2016, 2:25 PM J. Echter 
wrote:

> Hi,
>
> i have a tool which uodates its data by ftp. Nothing sepcial...
>
> But, i cant use it as i get errors like 'no data', error 227 'entering
> passive mode' and so on.
>
> As far as i know should passive mode be working without any afford.
>
> Where can i have a look what is going wrong?
>
> I read about FTP helper and FTP CLient Proxy, but imho FTP Helper isn't
> in 2.2 anymore and was more for ftp servers behind pfsense.
>
>
> Please, any hints are welcome :)
>
> Thanks.
>
> Juergen
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP trouble.

[Steve Yates]

J. Echter wrote on Thu, Feb 11 2016 at 1:25 pm:

> But, i cant use it as i get errors like 'no data', error 227 'entering
> passive mode' and so on.

So the FTP client is in your location and the FTP server is somewhere 
on the Internet?  We've not had any issues with that under pfSense 2.x, and 
specifically 2.2.x for Kevin.  I looked at the link he posted and I'm guessing 
you are hitting this:

"Passive mode on the client will require access to random/high ports outbound, 
which could run afoul of a strict outbound ruleset. Environments with a 
security policy that requires strict outbound firewall rules likely would not 
be using FTP anyhow, as it transmits credentials without encryption."

In other words if you are allowing port 21 outbound but blocking outbound ports 
over 1000, that would allow the initial connection and then fail on the data 
connection(s).  The FTP server would tell the client what port to use for the 
data connection but then the client is blocked by the firewall.  Try (in 
Status: System logs: Settings) setting your firewall log to "Log packets 
matched from the default block rules put in the ruleset" and see if that shows 
the block in your firewall log.  And just to over clarify, it is the FTP server 
that tells the client what port to use, so you can't control that unless you 
control the FTP server.


--

Steve Yates
ITS, Inc.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP trouble.

[WebDawg]

On Thu, Feb 11, 2016 at 1:25 PM, J. Echter
 wrote:
> Hi,
>
> i have a tool which uodates its data by ftp. Nothing sepcial...
>
> But, i cant use it as i get errors like 'no data', error 227 'entering
> passive mode' and so on.
>
> As far as i know should passive mode be working without any afford.
>
> Where can i have a look what is going wrong?
>
> I read about FTP helper and FTP CLient Proxy, but imho FTP Helper isn't
> in 2.2 anymore and was more for ftp servers behind pfsense.
>
>
> Please, any hints are welcome :)
>
> Thanks.
>
> Juergen


PASV mode requires you opening ports on the firewall so when a client
needs to transfer data it can use these ports to connect to the FTP
server and start the transfer.  It is specifically built like this so
you CAN host a ftp server across NAT.

You usually have to configure the FTP server to utilize a range of
ports for its PASV mode based on the amount of active clients at one
time on a server.  You then forward those ports to the internal
address of the box with the FTP server on it.

You may also have to configure a PASV ip address in the FTP server
because by default the ftp server will pass the ip it is on and the
port to the client telling it to connect there.

So if you do not do both, you are going to have issues connecting to a
FTP server behind a NATed box.

You should not be using just plain FTP anymore as it is insecure.  You
should be using SFTP (ssh) or FTP with TLS enabled.  You still have to
configure a group of PASV ports and a PASV ip in this instance.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP trouble.

[ED Fochler]

There is also extended passive, which is much better than old standard passive 
as it is ipv6 friendly and less likely to get wrongly proxied.  So different 
clients from the same network to the same server may negotiate differently and 
present different results.

The next step would be to grab traffic and figure out where the data is trying 
to go.  Or use sftp, as that is a single stream secure solution.

ED.


> On 2016, Feb 11, at 2:55 PM, Steve Yates  wrote:
> 
> J. Echter wrote on Thu, Feb 11 2016 at 1:25 pm:
> 
>> But, i cant use it as i get errors like 'no data', error 227 'entering
>> passive mode' and so on.
> 
>   So the FTP client is in your location and the FTP server is somewhere 
> on the Internet?  We've not had any issues with that under pfSense 2.x, and 
> specifically 2.2.x for Kevin.  I looked at the link he posted and I'm 
> guessing you are hitting this:
> 
> "Passive mode on the client will require access to random/high ports 
> outbound, which could run afoul of a strict outbound ruleset. Environments 
> with a security policy that requires strict outbound firewall rules likely 
> would not be using FTP anyhow, as it transmits credentials without 
> encryption."
> 
> In other words if you are allowing port 21 outbound but blocking outbound 
> ports over 1000, that would allow the initial connection and then fail on the 
> data connection(s).  The FTP server would tell the client what port to use 
> for the data connection but then the client is blocked by the firewall.  Try 
> (in Status: System logs: Settings) setting your firewall log to "Log packets 
> matched from the default block rules put in the ruleset" and see if that 
> shows the block in your firewall log.  And just to over clarify, it is the 
> FTP server that tells the client what port to use, so you can't control that 
> unless you control the FTP server.
> 
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] FTP trouble.

[J. Echter]

Hi,

i have a tool which uodates its data by ftp. Nothing sepcial...

But, i cant use it as i get errors like 'no data', error 227 'entering
passive mode' and so on.

As far as i know should passive mode be working without any afford.

Where can i have a look what is going wrong?

I read about FTP helper and FTP CLient Proxy, but imho FTP Helper isn't
in 2.2 anymore and was more for ftp servers behind pfsense.


Please, any hints are welcome :)

Thanks.

Juergen
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Romain Lapoux]

I did some test and does not work (removed all required interface).

Here my network setup:
- pfSense:
WAN: xx.xx.xx.166/27
WAN CARP: xx.xx.xx.165/27
LAN: 10.124.193.206/21
LAN CARP: 10.124.193.205/21
PRIVATE: 192.168.7.6/24
GW_WAN (default): xx.xx.xx.190
GW_LAN: 10.124.199.254
Route: 10.124.0.0/16 => GW_LAN

Routing tables:
DestinationGatewayFlags  Netif Expire
defaultxx.xx.xx.190  UGSvmx0
10.124.0.0/16  10.124.199.254 UGSvmx1
10.124.192.0/21link#2 U  vmx1
10.124.193.205 link#2 UHS lo0
10.124.193.206 link#2 UHS lo0
xx.xx.xx.160/27   link#1 U  vmx0
xx.xx.xx.165  link#1 UHS lo0
xx.xx.xx.166  link#1 UHS lo0
127.0.0.1  link#6 UH  lo0

- Backend server:
LAN: 10.124.192.1/21
Default route: 10.124.193.205
Route: 10.124.0.0/16 => 10.124.199.254
LAN2 (storage access): 10.224.192.1/16

Route print:
Destination Gateway Genmask Flags Metric RefUse Iface
default 10.124.193.205  0.0.0.0 UG0  00 eth0
10.124.0.0  10.124.199.254  255.255.0.0 UG0  00 eth0
10.124.192.0*   255.255.248.0   U 0  00 eth0
10.224.0.0  *   255.255.0.0 U 0  00 eth1

Regards,

Romain

From: Espen Johansen [mailto:pfse...@gmail.com] 
Sent: Wednesday, February 10, 2016 22:50
To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List 

Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, 
firewall enable random connection drop

Firewall disable = no state = asymmetric routing will not get return packets 
dropped. Are your servers multihomed?

On Wed, Feb 10, 2016, 22:48 Romain Lapoux  wrote:
I am not agree, because how do you explain that all works correctly when I 
disable only the firewall feature in pfSense ?

Romain

-Original Message-
From: Chris Buechler [mailto:c...@pfsense.com]
Sent: Wednesday, February 10, 2016 21:50
To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List 

Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, 
firewall enable random connection drop

On Sun, Feb 7, 2016 at 12:24 PM, Romain Lapoux  
wrote:
> My last test in conservation optimization, if I upload files with 4 parallel 
> connections, it drop each in less 10 seconds.
> (And don't free them on backend server, they stay ESTABLISHED in netstat.
>

More than likely because one or more of the hosts involved are dual homed and 
you have asymmetric routing.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold