Hi all!
I do know of that problem since RC1 (possibly the first version I tried
it). It hasn't been fixed in 1.0-SNAPSHOT-09-27-06. Since there are some
tweaks with it I wanted to discuss about it before writing a bug report.
The main problem is, that it seems, that the FTP-Helper for the WAN
interface is never started. The second one, that it isn't possible to
give the FTP-Helper another source IP-address than that of the interface
it's enabled for.
The FTP-Helper (pftpx) is started from system_start_ftp_helpers() in
config.inc line 1363ff. It first builds an array to work with. That
array contains only the LAN and the OPT interfaces, not WAN interfaces.
In a loop over that array ($iflist) the FTP-Helper is started if
$disableftpproxy isn't set for the interface. If no IP-Adress is bound
to the interface, ftsesame is used. Correct me if I'm wrong, but that
can only happen, if the interface is the WAN interface.
To sum up: In system_start_ftp_helpers() the FTP-Helper isn't started
for the WAN interface.
I searched further and found some code in filter_nat_rules_generate(),
in filter.inc, line 529ff.
Here, the nat-anchor is defined firstly, then the anchor for redirects.
Next the same as above: An array is build to work with (w/o an entry for
the WAN interface) and in a loop the redirection rules for the
FTP-Helper are created (line 713ff).
In 818ff the FTP-Helper is started for interfaces with port-forwarding
which don't have $disableftpproxy set. If the FTP-server isn't
configured with port forwarding on the WAN interface (because it has a
routable address), the FTP-Helper isn't started for it.
Now my question: is this correct? How am I able to connect to my public
routable FTP-server in the DMZ and do FTP data connections to it?
The second item is a problem with our (bad) network design: Between the
internet router and the FW there is a private transfer net
(10.0.0.0/24). Therefor out FW has a private external (WAN) IP address.
The hosts in the DMZ are fully routable and do have a public IP address,
so the pfsense box has one too. Internal IP addresses are private ones.
To make ftp work from inside to outside, I have to start the FTP-helper
with a public reachable IP address as source IP, but pfsense launches
the FTP-Helper with the WAN IP address as source. What I want to do is
launching the FTP-Helper with my own proxy source IP (that from the DMZ
interface in my case). pftpx gives me the following option for that:
-p address
Proxy source address. The proxy will use this as the
source address to connect to servers.
So is it possible to configure another source IP for pftpx anywhere in
pfsense? A hidden option for that seldom case (maybe it's also an
advantage in case of virtual IPs - carp for example) would be fine.
BR, PIT
---------------------------------------------------------------------------
copyleft(c) by | _-_ "Never make any mistaeks." (Anonymous, in a
Peter Allgeyer | 0(o_o)0 mail discussion about to a kernel bug report.)
---------------oOO--(_)--OOo-----------------------------------------------
