Disabling the FTP helper on the OPT interface did the trick. Thanks a
lot.
I have my FTP server on another OPT interface where FTP helper is
enabled and my firewall rules setup to alllow both Passive and active
FTP incoming connections. In this case, the FTP helper is required
right ? so i can't have my FTP server and clients on the same
interface, correct ?
Alex
On May 9, 2007, at 3:14 PM, Scott Ullrich wrote:
On 5/9/07, Alexandre Blardone <[EMAIL PROTECTED]> wrote:
Hello,
Does pfsense offer FTP connection tracking ? I think I am running
into a
problem with FTP clients behind our firewall:
Here is the basis of my concern (taken from
http://www.linuxchix.org/content/courses/security/connection_tracking
):
Unlike most networked services, FTP uses two well-known ports, 20
and 21. 20
is the port for FTP data, and 21 is the port for FTP control
information.
This makes an extra hole you have to leave in your firewall when
you're an
FTP server. But the real problem comes when you have an FTP client
behind a
firewall.
FTP Client -------------|----|-------------> FTP server
10.1.1.10 10.1.1.4
port 41327 port 21
The initial connection comes from a high-numbered port on the
client side to
the FTP control port, 21. This is going to be allowed through most
firewalls. But the problem is the reply. When you send an FTP
command (ls,
get, put, etc.), that opens a whole separate TCP connection from
the server
to the client. This causes a problem -- firewalls may block THAT
connection.
FTP Client -------------|----|-------------> FTP server
10.1.1.10 | fw | 10.1.1.4
port 41327 | * |------------- port 20
(That source port is 21 if it's sending control info, 20 if it's
sending a
file. So, 21 when replying to the initial SYN with SYN, ACK and
that TCP
connection. 20 when replying to an ls, get, put, etc.) But the
destination
is some port that the FTP client has specified.
If we have a fairly tight firewall, it's not going to allow just
any box to
connect through it on a random high port. So that ftp-data
connection gets
dropped, and the user sees their FTP client fail immediately after
connection (i.e. "as soon as I try to do anything"). This type of
FTP is
called Active FTP, or Active Mode FTP.
Make sure you are on 1.2-BETA-1 and take a look at
http://wiki.pfsense.com/wikka.php?wakka=FTPTroubleShooting
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
