RE: [pfSense Support] FTP proxy
From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Thursday, October 08, 2009 6:26 PM To: support@pfsense.com Subject: Re: [pfSense Support] FTP proxy On Thu, Oct 8, 2009 at 9:23 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Been banging my head on the FTP proxy for a little while on a box that has a lot of 1:1 NAT – finally did a dump of the PF ruleset, and saw this little gem. What’s goin on? ;) How can I… not have this rule? That's not related to your problem. FTP proxy can't work with 1:1 NAT. Sorry for bringing this back up – what’s the correct way to implement an FTP server behind a 1:1 NAT and not receive 500 Illegal PORT command? I don’t care if it uses the proxy, I just want incoming FTP connections to work. ☺ Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com
Re: [pfSense Support] FTP proxy
On Wed, Nov 4, 2009 at 3:01 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Sorry for bringing this back up – what’s the correct way to implement an FTP server behind a 1:1 NAT and not receive 500 Illegal PORT command? I don’t care if it uses the proxy, I just want incoming FTP connections to work. ☺ How many ftp servers do you need to support? If only one, then ignore that you have 1:1 NAT and just set up the ftp with the ftp proxy as per the instructions on the wiki and have it map the ftp port to your ftp server. This is what I do. In this configuration, it is just coincidence that the server has a 1:1 mapping on it. We advertise the ftp server as a different hostname so that makes it easier to move its IP to that of the main firewall IP. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP proxy
Nathan Eisenberg wrote: Sorry for bringing this back up – what’s the correct way to implement an FTP server behind a 1:1 NAT and not receive 500 Illegal PORT command? I don’t care if it uses the proxy, I just want incoming FTP connections to work. ☺ Best Regards, Nathan Eisenberg Which PORT command results in '500 Illegal PORT command'? Evgeny - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP proxy
On Wed, 4 Nov 2009, Evgeny Yurchenko wrote: Nathan Eisenberg wrote: Sorry for bringing this back up whats the correct way to implement an FTP server behind a 1:1 NAT and not receive 500 Illegal PORT command? I dont care if it uses the proxy, I just want incoming FTP connections to work. Which PORT command results in '500 Illegal PORT command'? That happens when there's not any stateful FTP inspection, i.e. to map the internal RFC1918 space to a public IP address per the 1:1 NAT, as is used by the FTP protocol to open up a socket. There's only one PORT command. -- William R. Lorenz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP proxy
Hi Nathan, Nathan Eisenberg wrote: Sorry for bringing this back up whats the correct way to implement an FTP server behind a 1:1 NAT and not receive 500 Illegal PORT command? I dont care if it uses the proxy, I just want incoming FTP connections to work. I can never keep the two straight, but try either active or passive mode (try the opposite of what you're using, or try them both -- there's only two). One will open data connections from server-client and the other will do the same from client-server. May work depending on your setup. The other [better] way to do it would be to have your FTP protocol re-written (inspected, in Cisco parlance) for the 1:1 NAT translation. Hope this helps, -- William R. Lorenz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP proxy
William R. Lorenz wrote: On Wed, 4 Nov 2009, Evgeny Yurchenko wrote: Nathan Eisenberg wrote: Sorry for bringing this back up whats the correct way to implement an FTP server behind a 1:1 NAT and not receive 500 Illegal PORT command? I dont care if it uses the proxy, I just want incoming FTP connections to work. Which PORT command results in '500 Illegal PORT command'? That happens when there's not any stateful FTP inspection, i.e. to map the internal RFC1918 space to a public IP address per the 1:1 NAT, as is used by the FTP protocol to open up a socket. There's only one PORT command. PORT command is used only if client establishes ACTIVE FTP session. By question 'which PORT ...' I meant content of PORT command because if this command contains local IP address of client and the request for FTP session (communication over port 21) came from public IP address then the server most probably will give you something like 500 Illegal PORT command. FTP server can work behind pfSense with or without 1:1 NAT, with or without ftp-proxy (if 1:1 NAT is not used). Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP proxy
On Thu, Oct 8, 2009 at 9:23 PM, Nathan Eisenberg nat...@atlasnetworks.uswrote: Been banging my head on the FTP proxy for a little while on a box that has a lot of 1:1 NAT – finally did a dump of the PF ruleset, and saw this little gem. What’s goin on? ;) How can I… not have this rule? That's not related to your problem. FTP proxy can't work with 1:1 NAT.
Re: [pfSense Support] FTP-Proxy Helper
Scott Ullrich wrote: On 12/1/06, Josep Pujadas i Jubany [EMAIL PROTECTED] wrote: # ps -aux | grep pftpx proxy 10495 0.0 0.2 656 496 ?? Ss8:40PM 0:00.99 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.XXX.1 root 24713 0.0 0.4 1464 952 p0 R+8:05PM 0:00.01 grep pftpx where 192.168.XXX.1 is my LAN interface. Is it normal? Yes. But there's no reason at all to put that IP address on the pftpx command line (it's not even parsed), as well as -g 8021, which is not used unless '-f' is specified. Angelo. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FTP-Proxy Helper
This again? We have already been over this. I am happily awaiting your patches. On 12/3/06, Angelo Turetta [EMAIL PROTECTED] wrote: Scott Ullrich wrote: On 12/1/06, Josep Pujadas i Jubany [EMAIL PROTECTED] wrote: # ps -aux | grep pftpx proxy 10495 0.0 0.2 656 496 ?? Ss8:40PM 0:00.99 /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.XXX.1 root 24713 0.0 0.4 1464 952 p0 R+8:05PM 0:00.01 grep pftpx where 192.168.XXX.1 is my LAN interface. Is it normal? Yes. But there's no reason at all to put that IP address on the pftpx command line (it's not even parsed), as well as -g 8021, which is not used unless '-f' is specified. Angelo. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]