Re: [pfSense Support] passive ftp problem
Cihan Saglamoz wrote: Client from somewhere wants to connect to the ftp servers (more than 1) behind the pfsense.. Cihan SAĞLAMÖZ On Fri, Jun 11, 2010 at 4:25 PM, Evgeny Yurchenko mailto:evg.yu...@rogers.com>> wrote: Cihan Saglamoz wrote: Hi, Is there a way for allowing passive ftp on pfsense? I don't want to give permit all ports between 1024 - 65535 Cihan Your client behind pfSense wants to connect to public FTP-server somewhere outside? Or client from somewhere outside want to connect to FTP-server which is sitting behind your pfSense? Usually you do not need to send e-mail twice we receive it after your first attempt. If your server is behind pfsense then it depends on your server configuration - what ports to open and to map to this server. So you decide which range to be used. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] passive ftp problem
Client from somewhere wants to connect to the ftp servers (more than 1) behind the pfsense. Cihan On Fri, Jun 11, 2010 at 4:25 PM, Evgeny Yurchenko wrote: > Cihan Saglamoz wrote: > >> Hi, >> >> Is there a way for allowing passive ftp on pfsense? >> >> >> I don't want to give permit all ports between 1024 - 65535 >> >> >> Cihan >> > Your client behind pfSense wants to connect to public FTP-server somewhere > outside? > Or client from somewhere outside want to connect to FTP-server which is > sitting behind your pfSense? > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] passive ftp problem
Client from somewhere wants to connect to the ftp servers (more than 1) behind the pfsense.. Cihan SAĞLAMÖZ On Fri, Jun 11, 2010 at 4:25 PM, Evgeny Yurchenko wrote: > Cihan Saglamoz wrote: > >> Hi, >> >> Is there a way for allowing passive ftp on pfsense? >> >> >> I don't want to give permit all ports between 1024 - 65535 >> >> >> Cihan >> > Your client behind pfSense wants to connect to public FTP-server somewhere > outside? > Or client from somewhere outside want to connect to FTP-server which is > sitting behind your pfSense? > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] passive ftp problem
Cihan Saglamoz wrote: Hi, Is there a way for allowing passive ftp on pfsense? I don't want to give permit all ports between 1024 - 65535 Cihan Your client behind pfSense wants to connect to public FTP-server somewhere outside? Or client from somewhere outside want to connect to FTP-server which is sitting behind your pfSense? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] passive ftp problem
On Fri, Jun 11, 2010 at 12:48:43PM +0300, Cihan Saglamoz wrote: > I used it. But problem still goes on. > > > on ftp helper I checked "*Disable the userland FTP-Proxy application" > > is that true? > > > I'm not using nat. I have public ip's on LAN interface. I have routing on > isp's router. They routed my public ip blocks to my firewalls wan interface. > > > Do you have any opinion about it? Sounds like big trouble. You're going to need plenty of legal advice before this thing is over. As your attorney, I advise you to rent a very fast car with no top. And you'll need the cocaine. Tape recorder for special music. Acapulco shirts. Get the hell out of L.A. for at least 48 hours. Blows my weekend. > * > > Cihan -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] passive ftp problem
I used it. But problem still goes on. on ftp helper I checked "*Disable the userland FTP-Proxy application" is that true? I'm not using nat. I have public ip's on LAN interface. I have routing on isp's router. They routed my public ip blocks to my firewalls wan interface. Do you have any opinion about it? * Cihan On Fri, Jun 11, 2010 at 12:40 PM, Chris Buechler wrote: > On Fri, Jun 11, 2010 at 5:20 AM, Cihan Saglamoz > wrote: > > Hi, > > > > Is there a way for allowing passive ftp on pfsense? > > > > Use the FTP helper. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] passive ftp problem
I used it. But problem still goes on. on ftp helper I checked "*Disable the userland FTP-Proxy application" is that true? I'm not using nat. I have public ip's on LAN interface. I have routing on isp's router. They routed my public ip blocks to my firewalls wan interface. Do you have any opinion about it? * Cihan On Fri, Jun 11, 2010 at 12:40 PM, Chris Buechler wrote: > On Fri, Jun 11, 2010 at 5:20 AM, Cihan Saglamoz > wrote: > > Hi, > > > > Is there a way for allowing passive ftp on pfsense? > > > > Use the FTP helper. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] passive ftp problem
On Fri, Jun 11, 2010 at 5:20 AM, Cihan Saglamoz wrote: > Hi, > > Is there a way for allowing passive ftp on pfsense? > Use the FTP helper. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] passive ftp mode problem
Zhu Sha Zang wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hey, i have a problem with ftp.
In my work i have a two network:
1) users -> router1 -> router2 -> internet
2) users -> router2 -> internet
First:
If i try to connect in a ftp server in a internet in the setup 1 the
users cannot do that if the server using passive mode.
But, if the ftp server between router1 and router2 i can connect.
Ftps port connection {20,21} are opened in both pfsense router (1 and 2),
Second:
This time, if i try to connect in the same ftp server, but using
second connection setup i can do everithing.
Explaining that in the router1 users have class less ip range in LAN
(aka. 192.168.0.0/24) and router1 configured with nat and a valid ip
in WAN directly connection to a LAN in router2 without NAT.
Any hint?
thanks for now
Too little data. NAT? FTP helpers on boxes? as a general hint - for
passive FTP to work you have to open tcp port range used by remote FTP
server to accept data connections (if you do not have ftp helper/proxy
running).
Evgeny.
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Passive FTP and Virtual IPs
A...excellent. That's how I THOUGHT it should work--by NAT instead of interface. Seems I'm not quite as lost as I thought. Any idea when it will be available for public consumption? Need testers? I got 2 non-critical FTPs on virtual IPs myself and a client with 2 offices, each with employee-only FTP on virtual IP. --Bennett -Original Message- From: Peter Allgeyer [mailto:[EMAIL PROTECTED] Sent: Thursday, July 20, 2006 3:58 PM To: support@pfsense.com Subject: Re: [pfSense Support] Passive FTP and Virtual IPs Am Donnerstag, den 20.07.2006, 11:10 -0500 schrieb Bennett: > It's my understanding that FTP-proxy works only on the interface IP, > not on virtual IPs. Is that correct? If so, that's horribly > limiting, especially on the WAN. Is there no way to configure it for > virtual IPs via a shell command or something? It's already in HEAD, though I haven't had the time to test it: http://www.pfsense.com/~sullrich/pics/FirewallNATPort% 20ForwardEdit1152049041307.png BR, PIT --- copyleft(c) by | "How do you pronounce SunOS?" "Just like you Peter Allgeyer | _-_ hear it, with a big SOS" -- dedicated to | 0(o_o)0 Roland Kaltefleiter ---oOO--(_)--OOo --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP and Virtual IPs
Am Donnerstag, den 20.07.2006, 11:10 -0500 schrieb Bennett: > It's my understanding that FTP-proxy works only on the interface IP, > not on virtual IPs. Is that correct? If so, that's horribly > limiting, especially on the WAN. Is there no way to configure it for > virtual IPs via a shell command or something? It's already in HEAD, though I haven't had the time to test it: http://www.pfsense.com/~sullrich/pics/FirewallNATPort% 20ForwardEdit1152049041307.png BR, PIT --- copyleft(c) by | "How do you pronounce SunOS?" "Just like you Peter Allgeyer | _-_ hear it, with a big SOS" -- dedicated to | 0(o_o)0 Roland Kaltefleiter ---oOO--(_)--OOo--- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
I will do this tonight, im not rebooting my primary FW during the day, but I guess if I had CARP setup I could :) Thats next weeks project. Will get you a full report tonight! Thanks again for all the help On Wednesday 07 June 2006 10:16, Scott Ullrich wrote: > On 6/7/06, Brad Bendy <[EMAIL PROTECTED]> wrote: > > Well your 100% right, if the IP is set to PARP it will not work, I do > > have two instances of pftpx though, one with just the private IP, and > > then one with private and public, and all works well now, did have to > > reboot after setting the VIP's to CARP and re-adding the firewall rule, > > but all works perfect now. > > Okay good. Now we are on to something. I guess pftpx is failing to > launch due to the ip not really existing on an interface (not good). > > Can you do a test for me? Do a ps awwwux | grep pftpx and find the > process that is running at the moment that allows ftp to work. > > Now change CARP back to a PROXYARP type and reboot. Once the firewall > is up, try launching that pftpx command from a shell window and lets > see what the error is. I bet money its not seeing the ip bound to an > interface and just errors out. > > Thanks for working with me to track this down!! > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
On 6/7/06, Brad Bendy <[EMAIL PROTECTED]> wrote: Well your 100% right, if the IP is set to PARP it will not work, I do have two instances of pftpx though, one with just the private IP, and then one with private and public, and all works well now, did have to reboot after setting the VIP's to CARP and re-adding the firewall rule, but all works perfect now. Okay good. Now we are on to something. I guess pftpx is failing to launch due to the ip not really existing on an interface (not good). Can you do a test for me? Do a ps awwwux | grep pftpx and find the process that is running at the moment that allows ftp to work. Now change CARP back to a PROXYARP type and reboot. Once the firewall is up, try launching that pftpx command from a shell window and lets see what the error is. I bet money its not seeing the ip bound to an interface and just errors out. Thanks for working with me to track this down!! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
Well your 100% right, if the IP is set to PARP it will not work, I do have two instances of pftpx though, one with just the private IP, and then one with private and public, and all works well now, did have to reboot after setting the VIP's to CARP and re-adding the firewall rule, but all works perfect now. Thanks again for all the help! Brad On Monday 05 June 2006 22:00, Scott Ullrich wrote: > On 6/6/06, Brad Bendy <[EMAIL PROTECTED]> wrote: > > Ive removed and re-added the FTP NAT entry. It did say it added a entry > > for FTP helper, but all I see is a firewall rule that adds all port 21 > > for LAN and WAN, and I dont see any deny's in the firewall log. Any > > reason I cant run this command manually that you would be aware of? > > > > Thanks again for all the help. > > It also adds a NAT rule for this in port forward. With the frewall > rule it should launch a pftpx process for this public ip. You can > simply do a ps awux | grep pftpx | grep $publicip > > Replace $pulbicip with your WAN address. > > Scott > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
On 6/6/06, Brad Bendy <[EMAIL PROTECTED]> wrote: I think it wont let me setup the WAN address becuase that address is being used by choparp, I have to set my WAN IP's to use proxy ARP because of a strange reason with my carrier. Could that be causing this entire fiasco? Not sure but the easy way to find out is to change your ProxyARP ip over to CARP and retest. If it works okay then that gives us a little more information to go on. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
I think it wont let me setup the WAN address becuase that address is being used by choparp, I have to set my WAN IP's to use proxy ARP because of a strange reason with my carrier. Could that be causing this entire fiasco? On Monday 05 June 2006 22:00, Scott Ullrich wrote: > On 6/6/06, Brad Bendy <[EMAIL PROTECTED]> wrote: > > Ive removed and re-added the FTP NAT entry. It did say it added a entry > > for FTP helper, but all I see is a firewall rule that adds all port 21 > > for LAN and WAN, and I dont see any deny's in the firewall log. Any > > reason I cant run this command manually that you would be aware of? > > > > Thanks again for all the help. > > It also adds a NAT rule for this in port forward. With the frewall > rule it should launch a pftpx process for this public ip. You can > simply do a ps awux | grep pftpx | grep $publicip > > Replace $pulbicip with your WAN address. > > Scott > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
On 6/6/06, Brad Bendy <[EMAIL PROTECTED]> wrote: Ive removed and re-added the FTP NAT entry. It did say it added a entry for FTP helper, but all I see is a firewall rule that adds all port 21 for LAN and WAN, and I dont see any deny's in the firewall log. Any reason I cant run this command manually that you would be aware of? Thanks again for all the help. It also adds a NAT rule for this in port forward. With the frewall rule it should launch a pftpx process for this public ip. You can simply do a ps awux | grep pftpx | grep $publicip Replace $pulbicip with your WAN address. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
Ive removed and re-added the FTP NAT entry. It did say it added a entry for FTP helper, but all I see is a firewall rule that adds all port 21 for LAN and WAN, and I dont see any deny's in the firewall log. Any reason I cant run this command manually that you would be aware of? Thanks again for all the help. On Monday 05 June 2006 21:25, Scott Ullrich wrote: > On 6/6/06, Brad Bendy <[EMAIL PROTECTED]> wrote: > > Right now FTP helper is on WAN and LAN, and the output of ps awux | grep > > pftpx shows: > > /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.xxx.xxx > > > > Not even 2 IP's at all. > > > > Also, the IP above is LAN IP of the firewall not the server that FTP is > > running on at all. > > > > If I try to run it manually, I get a "Can't assign requested address" > > /usr/local/sbin/pftpx -f 192.168.xxx.xxx -b 66.xxx.xxx.xxx -c 21 -g 21 > > > > Let me know if I can try anything else. > > That is the LAN redirect. It sounds like you are missing the WAN redirect. > > Try deleting the item once more on NAT and RULES -> WAN and start over > by adding a NAT -> Port forward entry for dest. 21. > > Make sure allow is checked then fine tune the rule. > > If after this it still doesn't appear (even after reboot) I need to > dive in further. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive FTP
Thank you for the link. It missed that. I saw that there were issues with load balancing. That was part of the reason I used policy based dual wan config. Scott, I appreciate all the time you put into this. I know this one is a pain. I also wish FTP would go away. I have to recode part of our application to totally get rid of it though. Just wanted to thank the dev team for all the work in pfsense. I know it is a work it progress, but it is working great. What do you guys want for Christmas again?... Robert On Tue, 6 Jun 2006 00:52:54 +0200, Holger Bauer wrote > Dual WAN and ftp is a different story: > http://faq.pfsense.com/index.php?action=artikel&cat=1&id=142&artlang=en&highlight=userland > > Holger > > > -Original Message- > > From: Robert Goley [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 05, 2006 11:53 PM > > To: support@pfsense.com > > Subject: Re: [pfSense Support] passive FTP > > > > > > I have a similar situation and have not been able to make > > this work. I have a > > dual wan policy based setup. Wan interface is DHCP cable > > modem. OPT1 is DSL > > with static IPs. I have tried setting up a port forward for ftp from > > OPT1->LAN. This have failed several ways. What are the > > official steps for > > setting this up. I know Scott mentioned enabling ftpx for passive > > connections. Others have said to open other port ranges but > > not much details > > as to which ones. I am using wu-ftpd for the ftp server. > > Currently, turning > > pftpx seems to break things more than not having it. Without > > it some clients > > can connect and others such as wget can not. With it on, nothing can > > connect. Even "telnet IP_ADDRESS 21" fails. It starts to > > connect to the > > port and then is immediately dropped. Any help or hints > > would be greatly > > appreciated. > > > > Robert > > > > On Thursday 01 June 2006 11:32, Scott Ullrich wrote: > > > Enable the FTP helper on Interfaces -> WAN. Reboot. > > > > > > On 6/1/06, Bernhard Ledermann > > <[EMAIL PROTECTED]> wrote: > > > > I am using an ftp-server behind pfsense (beta4) with NAT. > > I have problems > > > > with ftp-clients in passive mode witch are also behind a > > firewall with > > > > NAT to browse the ftp-directory. > > > > > > > > I know there were few discussions about this, but is > > there a solution or > > > > workaround to get it working? > > > > > > > > > > > > > > > > Regards > > > > > > > > Bernie > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > Virus checked by G DATA AntiVirusKit > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- RDA Systems Inc. (http://www.Fund-Accounting.com) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
On 6/6/06, Brad Bendy <[EMAIL PROTECTED]> wrote: Right now FTP helper is on WAN and LAN, and the output of ps awux | grep pftpx shows: /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.xxx.xxx Not even 2 IP's at all. Also, the IP above is LAN IP of the firewall not the server that FTP is running on at all. If I try to run it manually, I get a "Can't assign requested address" /usr/local/sbin/pftpx -f 192.168.xxx.xxx -b 66.xxx.xxx.xxx -c 21 -g 21 Let me know if I can try anything else. That is the LAN redirect. It sounds like you are missing the WAN redirect. Try deleting the item once more on NAT and RULES -> WAN and start over by adding a NAT -> Port forward entry for dest. 21. Make sure allow is checked then fine tune the rule. If after this it still doesn't appear (even after reboot) I need to dive in further. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
Right now FTP helper is on WAN and LAN, and the output of ps awux | grep pftpx shows: /usr/local/sbin/pftpx -c 8021 -g 8021 192.168.xxx.xxx Not even 2 IP's at all. Also, the IP above is LAN IP of the firewall not the server that FTP is running on at all. If I try to run it manually, I get a "Can't assign requested address" /usr/local/sbin/pftpx -f 192.168.xxx.xxx -b 66.xxx.xxx.xxx -c 21 -g 21 Let me know if I can try anything else. On Monday 05 June 2006 21:08, Scott Ullrich wrote: > On 6/6/06, Brad Bendy <[EMAIL PROTECTED]> wrote: > > Yup, Primary and only WAN. Im only trying this on one IP right now (not > > the IP of the firewall itself, but a Virtual IP). > > If the WAN ftp helper is running, it should look like this: > > # ps awux | grep pftpx > proxy15757 0.0 0.3 656 428 ?? Ss 12:51PM 0:00.46 > /usr/local/sbin/pftpx -f 10.0.0.180 -b XXX.XXX..81.16 -c 21 -g 21 > > That address BTW is a public address, not residing in any private > space. X'd out for obvious reasons. > > If pftpx is still running on the wrong IP I need to open a ticket on this. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
On 6/6/06, Brad Bendy <[EMAIL PROTECTED]> wrote: Yup, Primary and only WAN. Im only trying this on one IP right now (not the IP of the firewall itself, but a Virtual IP). If the WAN ftp helper is running, it should look like this: # ps awux | grep pftpx proxy15757 0.0 0.3 656 428 ?? Ss 12:51PM 0:00.46 /usr/local/sbin/pftpx -f 10.0.0.180 -b XXX.XXX..81.16 -c 21 -g 21 That address BTW is a public address, not residing in any private space. X'd out for obvious reasons. If pftpx is still running on the wrong IP I need to open a ticket on this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
Yup, Primary and only WAN. Im only trying this on one IP right now (not the IP of the firewall itself, but a Virtual IP). On Monday 05 June 2006 21:01, Scott Ullrich wrote: > And you are redirecting this from the primary wan right? > > On 6/5/06, Brad Bendy <[EMAIL PROTECTED]> wrote: > > Actually, upon looking at this again, the "pftpx" application is running > > with arguments of -c 8021 and -g 8021 and then the LAN IP address. How > > does it know what ports it supposed to use? Im using standard 21 and then > > 3-35000 for the data ports, im going to do some more in depth > > research on the pftpx application as well. Or am I totally confused as to > > how this works? > > > > I have just rebooted, and upon reboot im still getting the LAN IP, and > > still nothing. > > > > Thanks > > Brad > > > > On Monday 05 June 2006 20:42, Brad Bendy wrote: > > > FTP is just evil, I wish people would stop using it!!! Is a reboot > > > required when you make changes to the FTP helper? Anyway I can just > > > force the ftpproxy, mine is showing the LAN IP (but I havent rebooted > > > yet). > > > > > > Thanks > > > Brad > > > > > > On Monday 05 June 2006 15:51, Scott Ullrich wrote: > > > > The bottom line is that it should work with the FTP helpers on. I > > > > have invested damn near 80 hours in making FTP work in every > > > > situation that I could. At this point I don't know what to do or say > > > > as it works in every single install that I have access to. Really > > > > sorry that I dont' have more information. > > > > > > > > Scott > > > > > > > > On 6/5/06, Robert Goley <[EMAIL PROTECTED]> wrote: > > > > > I have a similar situation and have not been able to make this > > > > > work. I have a dual wan policy based setup. Wan interface is DHCP > > > > > cable modem. OPT1 is DSL with static IPs. I have tried setting up > > > > > a port forward for ftp from OPT1->LAN. This have failed several > > > > > ways. What are the official steps for setting this up. I know > > > > > Scott mentioned enabling ftpx for passive connections. Others have > > > > > said to open other port ranges but not much details as to which > > > > > ones. I am using wu-ftpd for the ftp server. Currently, turning > > > > > pftpx seems to break things more than not having it. Without it > > > > > some clients can connect and others such as wget can not. With it > > > > > on, nothing can connect. Even "telnet IP_ADDRESS 21" fails. It > > > > > starts to connect to the port and then is immediately dropped. Any > > > > > help or hints would be greatly appreciated. > > > > > > > > > > Robert > > > > > > > > > > On Thursday 01 June 2006 11:32, Scott Ullrich wrote: > > > > > > Enable the FTP helper on Interfaces -> WAN. Reboot. > > > > > > > > > > > > On 6/1/06, Bernhard Ledermann <[EMAIL PROTECTED]> wrote: > > > > > > > I am using an ftp-server behind pfsense (beta4) with NAT. I > > > > > > > have problems with ftp-clients in passive mode witch are also > > > > > > > behind a firewall with NAT to browse the ftp-directory. > > > > > > > > > > > > > > I know there were few discussions about this, but is there a > > > > > > > solution or workaround to get it working? > > > > > > > > > > > > > > > > > > > > > > > > > > > > Regards > > > > > > > > > > > > > > Bernie > > > > > > > > > > > > - > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --- > > > > >-- To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > - > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
And you are redirecting this from the primary wan right? On 6/5/06, Brad Bendy <[EMAIL PROTECTED]> wrote: Actually, upon looking at this again, the "pftpx" application is running with arguments of -c 8021 and -g 8021 and then the LAN IP address. How does it know what ports it supposed to use? Im using standard 21 and then 3-35000 for the data ports, im going to do some more in depth research on the pftpx application as well. Or am I totally confused as to how this works? I have just rebooted, and upon reboot im still getting the LAN IP, and still nothing. Thanks Brad On Monday 05 June 2006 20:42, Brad Bendy wrote: > FTP is just evil, I wish people would stop using it!!! Is a reboot required > when you make changes to the FTP helper? Anyway I can just force the > ftpproxy, mine is showing the LAN IP (but I havent rebooted yet). > > Thanks > Brad > > On Monday 05 June 2006 15:51, Scott Ullrich wrote: > > The bottom line is that it should work with the FTP helpers on. I > > have invested damn near 80 hours in making FTP work in every situation > > that I could. At this point I don't know what to do or say as it > > works in every single install that I have access to. Really sorry > > that I dont' have more information. > > > > Scott > > > > On 6/5/06, Robert Goley <[EMAIL PROTECTED]> wrote: > > > I have a similar situation and have not been able to make this work. I > > > have a dual wan policy based setup. Wan interface is DHCP cable modem. > > > OPT1 is DSL with static IPs. I have tried setting up a port forward > > > for ftp from OPT1->LAN. This have failed several ways. What are the > > > official steps for setting this up. I know Scott mentioned enabling > > > ftpx for passive connections. Others have said to open other port > > > ranges but not much details as to which ones. I am using wu-ftpd for > > > the ftp server. Currently, turning pftpx seems to break things more > > > than not having it. Without it some clients can connect and others > > > such as wget can not. With it on, nothing can connect. Even "telnet > > > IP_ADDRESS 21" fails. It starts to connect to the port and then is > > > immediately dropped. Any help or hints would be greatly appreciated. > > > > > > Robert > > > > > > On Thursday 01 June 2006 11:32, Scott Ullrich wrote: > > > > Enable the FTP helper on Interfaces -> WAN. Reboot. > > > > > > > > On 6/1/06, Bernhard Ledermann <[EMAIL PROTECTED]> wrote: > > > > > I am using an ftp-server behind pfsense (beta4) with NAT. I have > > > > > problems with ftp-clients in passive mode witch are also behind a > > > > > firewall with NAT to browse the ftp-directory. > > > > > > > > > > I know there were few discussions about this, but is there a > > > > > solution or workaround to get it working? > > > > > > > > > > > > > > > > > > > > Regards > > > > > > > > > > Bernie > > > > > > > > - > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
Actually, upon looking at this again, the "pftpx" application is running with arguments of -c 8021 and -g 8021 and then the LAN IP address. How does it know what ports it supposed to use? Im using standard 21 and then 3-35000 for the data ports, im going to do some more in depth research on the pftpx application as well. Or am I totally confused as to how this works? I have just rebooted, and upon reboot im still getting the LAN IP, and still nothing. Thanks Brad On Monday 05 June 2006 20:42, Brad Bendy wrote: > FTP is just evil, I wish people would stop using it!!! Is a reboot required > when you make changes to the FTP helper? Anyway I can just force the > ftpproxy, mine is showing the LAN IP (but I havent rebooted yet). > > Thanks > Brad > > On Monday 05 June 2006 15:51, Scott Ullrich wrote: > > The bottom line is that it should work with the FTP helpers on. I > > have invested damn near 80 hours in making FTP work in every situation > > that I could. At this point I don't know what to do or say as it > > works in every single install that I have access to. Really sorry > > that I dont' have more information. > > > > Scott > > > > On 6/5/06, Robert Goley <[EMAIL PROTECTED]> wrote: > > > I have a similar situation and have not been able to make this work. I > > > have a dual wan policy based setup. Wan interface is DHCP cable modem. > > > OPT1 is DSL with static IPs. I have tried setting up a port forward > > > for ftp from OPT1->LAN. This have failed several ways. What are the > > > official steps for setting this up. I know Scott mentioned enabling > > > ftpx for passive connections. Others have said to open other port > > > ranges but not much details as to which ones. I am using wu-ftpd for > > > the ftp server. Currently, turning pftpx seems to break things more > > > than not having it. Without it some clients can connect and others > > > such as wget can not. With it on, nothing can connect. Even "telnet > > > IP_ADDRESS 21" fails. It starts to connect to the port and then is > > > immediately dropped. Any help or hints would be greatly appreciated. > > > > > > Robert > > > > > > On Thursday 01 June 2006 11:32, Scott Ullrich wrote: > > > > Enable the FTP helper on Interfaces -> WAN. Reboot. > > > > > > > > On 6/1/06, Bernhard Ledermann <[EMAIL PROTECTED]> wrote: > > > > > I am using an ftp-server behind pfsense (beta4) with NAT. I have > > > > > problems with ftp-clients in passive mode witch are also behind a > > > > > firewall with NAT to browse the ftp-directory. > > > > > > > > > > I know there were few discussions about this, but is there a > > > > > solution or workaround to get it working? > > > > > > > > > > > > > > > > > > > > Regards > > > > > > > > > > Bernie > > > > > > > > - > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
On 6/5/06, Brad Bendy <[EMAIL PROTECTED]> wrote: FTP is just evil, I wish people would stop using it!!! Is a reboot required when you make changes to the FTP helper? Anyway I can just force the ftpproxy, mine is showing the LAN IP (but I havent rebooted yet). It may just require a reboot. Give it a try, if it does that gives me something to go on. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
FTP is just evil, I wish people would stop using it!!! Is a reboot required when you make changes to the FTP helper? Anyway I can just force the ftpproxy, mine is showing the LAN IP (but I havent rebooted yet). Thanks Brad On Monday 05 June 2006 15:51, Scott Ullrich wrote: > The bottom line is that it should work with the FTP helpers on. I > have invested damn near 80 hours in making FTP work in every situation > that I could. At this point I don't know what to do or say as it > works in every single install that I have access to. Really sorry > that I dont' have more information. > > Scott > > On 6/5/06, Robert Goley <[EMAIL PROTECTED]> wrote: > > I have a similar situation and have not been able to make this work. I > > have a dual wan policy based setup. Wan interface is DHCP cable modem. > > OPT1 is DSL with static IPs. I have tried setting up a port forward for > > ftp from OPT1->LAN. This have failed several ways. What are the > > official steps for setting this up. I know Scott mentioned enabling ftpx > > for passive connections. Others have said to open other port ranges but > > not much details as to which ones. I am using wu-ftpd for the ftp > > server. Currently, turning pftpx seems to break things more than not > > having it. Without it some clients can connect and others such as wget > > can not. With it on, nothing can connect. Even "telnet IP_ADDRESS 21" > > fails. It starts to connect to the port and then is immediately dropped. > > Any help or hints would be greatly appreciated. > > > > Robert > > > > On Thursday 01 June 2006 11:32, Scott Ullrich wrote: > > > Enable the FTP helper on Interfaces -> WAN. Reboot. > > > > > > On 6/1/06, Bernhard Ledermann <[EMAIL PROTECTED]> wrote: > > > > I am using an ftp-server behind pfsense (beta4) with NAT. I have > > > > problems with ftp-clients in passive mode witch are also behind a > > > > firewall with NAT to browse the ftp-directory. > > > > > > > > I know there were few discussions about this, but is there a solution > > > > or workaround to get it working? > > > > > > > > > > > > > > > > Regards > > > > > > > > Bernie > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive FTP
Dual WAN and ftp is a different story: http://faq.pfsense.com/index.php?action=artikel&cat=1&id=142&artlang=en&highlight=userland Holger > -Original Message- > From: Robert Goley [mailto:[EMAIL PROTECTED] > Sent: Monday, June 05, 2006 11:53 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] passive FTP > > > I have a similar situation and have not been able to make > this work. I have a > dual wan policy based setup. Wan interface is DHCP cable > modem. OPT1 is DSL > with static IPs. I have tried setting up a port forward for ftp from > OPT1->LAN. This have failed several ways. What are the > official steps for > setting this up. I know Scott mentioned enabling ftpx for passive > connections. Others have said to open other port ranges but > not much details > as to which ones. I am using wu-ftpd for the ftp server. > Currently, turning > pftpx seems to break things more than not having it. Without > it some clients > can connect and others such as wget can not. With it on, nothing can > connect. Even "telnet IP_ADDRESS 21" fails. It starts to > connect to the > port and then is immediately dropped. Any help or hints > would be greatly > appreciated. > > Robert > > On Thursday 01 June 2006 11:32, Scott Ullrich wrote: > > Enable the FTP helper on Interfaces -> WAN. Reboot. > > > > On 6/1/06, Bernhard Ledermann > <[EMAIL PROTECTED]> wrote: > > > I am using an ftp-server behind pfsense (beta4) with NAT. > I have problems > > > with ftp-clients in passive mode witch are also behind a > firewall with > > > NAT to browse the ftp-directory. > > > > > > I know there were few discussions about this, but is > there a solution or > > > workaround to get it working? > > > > > > > > > > > > Regards > > > > > > Bernie > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
The bottom line is that it should work with the FTP helpers on. I have invested damn near 80 hours in making FTP work in every situation that I could. At this point I don't know what to do or say as it works in every single install that I have access to. Really sorry that I dont' have more information. Scott On 6/5/06, Robert Goley <[EMAIL PROTECTED]> wrote: I have a similar situation and have not been able to make this work. I have a dual wan policy based setup. Wan interface is DHCP cable modem. OPT1 is DSL with static IPs. I have tried setting up a port forward for ftp from OPT1->LAN. This have failed several ways. What are the official steps for setting this up. I know Scott mentioned enabling ftpx for passive connections. Others have said to open other port ranges but not much details as to which ones. I am using wu-ftpd for the ftp server. Currently, turning pftpx seems to break things more than not having it. Without it some clients can connect and others such as wget can not. With it on, nothing can connect. Even "telnet IP_ADDRESS 21" fails. It starts to connect to the port and then is immediately dropped. Any help or hints would be greatly appreciated. Robert On Thursday 01 June 2006 11:32, Scott Ullrich wrote: > Enable the FTP helper on Interfaces -> WAN. Reboot. > > On 6/1/06, Bernhard Ledermann <[EMAIL PROTECTED]> wrote: > > I am using an ftp-server behind pfsense (beta4) with NAT. I have problems > > with ftp-clients in passive mode witch are also behind a firewall with > > NAT to browse the ftp-directory. > > > > I know there were few discussions about this, but is there a solution or > > workaround to get it working? > > > > > > > > Regards > > > > Bernie > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
I have a similar situation and have not been able to make this work. I have a dual wan policy based setup. Wan interface is DHCP cable modem. OPT1 is DSL with static IPs. I have tried setting up a port forward for ftp from OPT1->LAN. This have failed several ways. What are the official steps for setting this up. I know Scott mentioned enabling ftpx for passive connections. Others have said to open other port ranges but not much details as to which ones. I am using wu-ftpd for the ftp server. Currently, turning pftpx seems to break things more than not having it. Without it some clients can connect and others such as wget can not. With it on, nothing can connect. Even "telnet IP_ADDRESS 21" fails. It starts to connect to the port and then is immediately dropped. Any help or hints would be greatly appreciated. Robert On Thursday 01 June 2006 11:32, Scott Ullrich wrote: > Enable the FTP helper on Interfaces -> WAN. Reboot. > > On 6/1/06, Bernhard Ledermann <[EMAIL PROTECTED]> wrote: > > I am using an ftp-server behind pfsense (beta4) with NAT. I have problems > > with ftp-clients in passive mode witch are also behind a firewall with > > NAT to browse the ftp-directory. > > > > I know there were few discussions about this, but is there a solution or > > workaround to get it working? > > > > > > > > Regards > > > > Bernie > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
Re enable it for the LAN and WAN. On 6/5/06, Brad Bendy <[EMAIL PROTECTED]> wrote: Hello, I show the pftpx process is running on my beta4 machine, yet it has my LAN IP address. In the config.xml I have a yet i have no other instances of this in the config file anywhere. In the web interface I have it disabled in the LAN, and enabled in the WAN. I made these changes and rebooted, and still no effect. I have all the ports forwaded like I did on my .84 machine. Any way to force that ftpproxy application to use the right IP? Any insight on this would be great! Thanks in advance! Brad On Thursday 01 June 2006 09:02, Rainer Duffner wrote: > Scott Ullrich wrote: > > On 6/1/06, Rainer Duffner <[EMAIL PROTECTED]> wrote: > >> Should the FTP helper then run and be bound to the WAN-interface? > >> I can see all the other FTP-helpers bound on most other interfaces, but > >> I can't see it being bound to the WAN. > >> > >> (This on a late post-beta2-snapshot) > > > > Why are you asking about beta 2? Upgrade to beta 4 for support. > > I new you were going to say this (that's why I never bothered to bring > it up here). > ;-) > As it is, I've already installed the latest snapshot on an identical > machine next to the production one and I'm waiting for a small > downtime-window to try to switch it over. > > > The pftpx process should show up and in this case have the public ip > > of the firewall as one of its arguments. > > I can't access the post-BETA4-machine right now to check, but when I > moved the configuration over to the test-box, I think I still didn't see > the "right" pftpx process show up. > I have 4 VLANs bridged with WAN and several others that run completely > separate. > > > > > > cheers, > Rainer > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
Hello, I show the pftpx process is running on my beta4 machine, yet it has my LAN IP address. In the config.xml I have a yet i have no other instances of this in the config file anywhere. In the web interface I have it disabled in the LAN, and enabled in the WAN. I made these changes and rebooted, and still no effect. I have all the ports forwaded like I did on my .84 machine. Any way to force that ftpproxy application to use the right IP? Any insight on this would be great! Thanks in advance! Brad On Thursday 01 June 2006 09:02, Rainer Duffner wrote: > Scott Ullrich wrote: > > On 6/1/06, Rainer Duffner <[EMAIL PROTECTED]> wrote: > >> Should the FTP helper then run and be bound to the WAN-interface? > >> I can see all the other FTP-helpers bound on most other interfaces, but > >> I can't see it being bound to the WAN. > >> > >> (This on a late post-beta2-snapshot) > > > > Why are you asking about beta 2? Upgrade to beta 4 for support. > > I new you were going to say this (that's why I never bothered to bring > it up here). > ;-) > As it is, I've already installed the latest snapshot on an identical > machine next to the production one and I'm waiting for a small > downtime-window to try to switch it over. > > > The pftpx process should show up and in this case have the public ip > > of the firewall as one of its arguments. > > I can't access the post-BETA4-machine right now to check, but when I > moved the configuration over to the test-box, I think I still didn't see > the "right" pftpx process show up. > I have 4 VLANs bridged with WAN and several others that run completely > separate. > > > > > > cheers, > Rainer > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
Scott Ullrich wrote: On 6/1/06, Rainer Duffner <[EMAIL PROTECTED]> wrote: Should the FTP helper then run and be bound to the WAN-interface? I can see all the other FTP-helpers bound on most other interfaces, but I can't see it being bound to the WAN. (This on a late post-beta2-snapshot) Why are you asking about beta 2? Upgrade to beta 4 for support. I new you were going to say this (that's why I never bothered to bring it up here). ;-) As it is, I've already installed the latest snapshot on an identical machine next to the production one and I'm waiting for a small downtime-window to try to switch it over. The pftpx process should show up and in this case have the public ip of the firewall as one of its arguments. I can't access the post-BETA4-machine right now to check, but when I moved the configuration over to the test-box, I think I still didn't see the "right" pftpx process show up. I have 4 VLANs bridged with WAN and several others that run completely separate. cheers, Rainer - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
On 6/1/06, Rainer Duffner <[EMAIL PROTECTED]> wrote: Should the FTP helper then run and be bound to the WAN-interface? I can see all the other FTP-helpers bound on most other interfaces, but I can't see it being bound to the WAN. (This on a late post-beta2-snapshot) Why are you asking about beta 2? Upgrade to beta 4 for support. The pftpx process should show up and in this case have the public ip of the firewall as one of its arguments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
Scott Ullrich wrote: Enable the FTP helper on Interfaces -> WAN. Reboot. Should the FTP helper then run and be bound to the WAN-interface? I can see all the other FTP-helpers bound on most other interfaces, but I can't see it being bound to the WAN. (This on a late post-beta2-snapshot) cheers, Rainer - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
Enable the FTP helper on Interfaces -> WAN. Reboot. On 6/1/06, Bernhard Ledermann <[EMAIL PROTECTED]> wrote: I am using an ftp-server behind pfsense (beta4) with NAT. I have problems with ftp-clients in passive mode witch are also behind a firewall with NAT to browse the ftp-directory. I know there were few discussions about this, but is there a solution or workaround to get it working? Regards Bernie - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive FTP
On Jun 1, 2006, at 13:37 , Bernhard Ledermann wrote: I am using an ftp-server behind pfsense (beta4) with NAT. I have problems with ftp-clients in passive mode witch are also behind a firewall with NAT to browse the ftp-directory. I know there were few discussions about this, but is there a solution or workaround to get it working? Regards Bernie I believe you have to allow connections to the ftpserver on the passive ftp port range... You should be able to tell from the config wich ports the ftp server uses for passive mode. Example 2 - 3 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
OK so now on my 3rd attempt with fresh installs, it's still not working, and again I have rules that are logging a pass, and I have no rules set to log passes, only the default block. There's some bug here but damned if I could say for sure whats triggering it. On Sun, 2006-04-30 at 14:58 -0700, Derrick MacPherson wrote: > Hmm. reaset rules set to default > > Added on WAN: > > rules to https to Outlook Web Access (OWA) box > rules for access to Nortel VPN device in the DMZ. > rule to route traffic from mail relay host in dmz to internal > rulle to allow ftp (21) to machine in DMZ > > Added on OPT1 (DMZ): > > Ports to allow communication tween the OWA host in the > DMZ to the Active Directory in the LAN > > Virtual IP's for OWA, ftp server, mail server, Nortel VPN, in the DMZ > > NAT: > > port forward for OWA > 1:1 - for Nortel VPN, ftp server, mail server > > Now when I ftp from external, with passive on, I see this in the logs > blocked: > > WAN 208.181.60.36:61044 10.0.0.10:59825 TCP > > with passive off: > > OPT1 10.0.0.10:20208.181.60.36:50383 TCP > > Now is there something I've missed, or should this be handled by the ftp > helper? > > > > On Sun, 30 Apr 2006, Derrick MacPherson wrote: > > > I reverted to a ruleset from yesterday; whatever is causing the issue i'm > > having is really odd. i've taken my failover box and am going to rebuild > > from > > scratch > > > > On Sun, 30 Apr 2006, Scott Ullrich wrote: > > > >> cvs_synch.sh again and see if they go away. > >> > >> On 4/30/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > >>> I just got back home and was taking a quick look at things before bed, > >>> and for some reason I'm getting an error loading the rule set > >>> > >>> exactly -f /tmp/rules.debug > >>> /tmp/rules.debug:95: macro 'opt1' not defined > >>> /tmp/rules.debug:95: syntax error > >>> /tmp/rules.debug:96: macro 'opt1' not defined > >>> /tmp/rules.debug:97: macro 'opt1' not defined > >>> > >>> > >>> > >>> that section is: > >>> > >>> # allow access to DHCP server on opt1 > >>> anchor "dhcpserveropt1" > >>> pass in quick on $DMZ proto udp from any port = 68 to 255.255.255.255 > >>> port = 67 label "allow access to DHCP server" > >>> > >>> pass in quick on $DMZ proto udp from any port = 68 to 10.0.0.1 port = 67 > >>> label "allow access to DHCP server" > >>> > >>> pass out quick on $DMZ proto udp from 10.0.0.1 port = 67 to any port = > >>> 68 label "allow access to DHCP server" > >>> > >>> block in log quick on $wan proto udp from any port = 67 to > >>> 172.16.128.0/20 port = 68 label "allow dhcp client out wan" > >>> > >>> > >>> - > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >> > >> - > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
Hmm. reaset rules set to default Added on WAN: rules to https to Outlook Web Access (OWA) box rules for access to Nortel VPN device in the DMZ. rule to route traffic from mail relay host in dmz to internal rulle to allow ftp (21) to machine in DMZ Added on OPT1 (DMZ): Ports to allow communication tween the OWA host in the DMZ to the Active Directory in the LAN Virtual IP's for OWA, ftp server, mail server, Nortel VPN, in the DMZ NAT: port forward for OWA 1:1 - for Nortel VPN, ftp server, mail server Now when I ftp from external, with passive on, I see this in the logs blocked: WAN 208.181.60.36:61044 10.0.0.10:59825 TCP with passive off: OPT110.0.0.10:20208.181.60.36:50383 TCP Now is there something I've missed, or should this be handled by the ftp helper? On Sun, 30 Apr 2006, Derrick MacPherson wrote: I reverted to a ruleset from yesterday; whatever is causing the issue i'm having is really odd. i've taken my failover box and am going to rebuild from scratch On Sun, 30 Apr 2006, Scott Ullrich wrote: cvs_synch.sh again and see if they go away. On 4/30/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: I just got back home and was taking a quick look at things before bed, and for some reason I'm getting an error loading the rule set exactly -f /tmp/rules.debug /tmp/rules.debug:95: macro 'opt1' not defined /tmp/rules.debug:95: syntax error /tmp/rules.debug:96: macro 'opt1' not defined /tmp/rules.debug:97: macro 'opt1' not defined that section is: # allow access to DHCP server on opt1 anchor "dhcpserveropt1" pass in quick on $DMZ proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in quick on $DMZ proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server" pass out quick on $DMZ proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server" block in log quick on $wan proto udp from any port = 67 to 172.16.128.0/20 port = 68 label "allow dhcp client out wan" - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
I reverted to a ruleset from yesterday; whatever is causing the issue i'm having is really odd. i've taken my failover box and am going to rebuild from scratch On Sun, 30 Apr 2006, Scott Ullrich wrote: cvs_synch.sh again and see if they go away. On 4/30/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: I just got back home and was taking a quick look at things before bed, and for some reason I'm getting an error loading the rule set exactly -f /tmp/rules.debug /tmp/rules.debug:95: macro 'opt1' not defined /tmp/rules.debug:95: syntax error /tmp/rules.debug:96: macro 'opt1' not defined /tmp/rules.debug:97: macro 'opt1' not defined that section is: # allow access to DHCP server on opt1 anchor "dhcpserveropt1" pass in quick on $DMZ proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in quick on $DMZ proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server" pass out quick on $DMZ proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server" block in log quick on $wan proto udp from any port = 67 to 172.16.128.0/20 port = 68 label "allow dhcp client out wan" - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
cvs_synch.sh again and see if they go away. On 4/30/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: I just got back home and was taking a quick look at things before bed, and for some reason I'm getting an error loading the rule set exactly -f /tmp/rules.debug /tmp/rules.debug:95: macro 'opt1' not defined /tmp/rules.debug:95: syntax error /tmp/rules.debug:96: macro 'opt1' not defined /tmp/rules.debug:97: macro 'opt1' not defined that section is: # allow access to DHCP server on opt1 anchor "dhcpserveropt1" pass in quick on $DMZ proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in quick on $DMZ proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server" pass out quick on $DMZ proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server" block in log quick on $wan proto udp from any port = 67 to 172.16.128.0/20 port = 68 label "allow dhcp client out wan" - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
I just got back home and was taking a quick look at things before bed, and for some reason I'm getting an error loading the rule set exactly -f /tmp/rules.debug /tmp/rules.debug:95: macro 'opt1' not defined /tmp/rules.debug:95: syntax error /tmp/rules.debug:96: macro 'opt1' not defined /tmp/rules.debug:97: macro 'opt1' not defined that section is: # allow access to DHCP server on opt1 anchor "dhcpserveropt1" pass in quick on $DMZ proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in quick on $DMZ proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server" pass out quick on $DMZ proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server" block in log quick on $wan proto udp from any port = 67 to 172.16.128.0/20 port = 68 label "allow dhcp client out wan" Looks like I fixed this by changing the description for the opt1 interface, from DMZ to opt1 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
I just got back home and was taking a quick look at things before bed, and for some reason I'm getting an error loading the rule set exactly -f /tmp/rules.debug /tmp/rules.debug:95: macro 'opt1' not defined /tmp/rules.debug:95: syntax error /tmp/rules.debug:96: macro 'opt1' not defined /tmp/rules.debug:97: macro 'opt1' not defined that section is: # allow access to DHCP server on opt1 anchor "dhcpserveropt1" pass in quick on $DMZ proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in quick on $DMZ proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server" pass out quick on $DMZ proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server" block in log quick on $wan proto udp from any port = 67 to 172.16.128.0/20 port = 68 label "allow dhcp client out wan" - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
All that is required is to allow the traffic on port TCP/21. On 4/29/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: ok i've now spun myself to a point of being confused.. can i get a brief discussion of what i need to get ftp working; what changes to the lan and dmz do i need to make? i've ben playing with this too much that i've lost where i'm going with this - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
ok i've now spun myself to a point of being confused.. can i get a brief discussion of what i need to get ftp working; what changes to the lan and dmz do i need to make? i've ben playing with this too much that i've lost where i'm going with this - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
On 4/29/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: should the ftp helper be handling this block? DMZ 10.0.0.10:20x.x.x.x:55628 TCP Yes. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
should the ftp helper be handling this block? DMZ 10.0.0.10:20x.x.x.x:55628 TCP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
Scott Ullrich wrote: On 4/29/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: Scott Ullrich wrote: > On 4/29/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: >> Do I need a permit on the WAN interface for passive ports? > > No, the FTP helper automatically installs rules. OK thats what I thought.. I'm seeing this being blocked: WAN x.x.x.x:52336 10.0.0.10:54473 TCP shouldn't that be handled by the helper then? Yes, what version? i'm running: BETA4 built on Mon Apr 17 22:46:52 UTC 2006 Let me look a little further, maybe I've got something messed up; I had so much mucking around going on the other day dealing with that issue that turned out to be the ISP's router. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
On 4/29/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: Scott Ullrich wrote: > On 4/29/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: >> Do I need a permit on the WAN interface for passive ports? > > No, the FTP helper automatically installs rules. OK thats what I thought.. I'm seeing this being blocked: WAN x.x.x.x:52336 10.0.0.10:54473 TCP shouldn't that be handled by the helper then? Yes, what version? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
Scott Ullrich wrote: On 4/29/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: Do I need a permit on the WAN interface for passive ports? No, the FTP helper automatically installs rules. OK thats what I thought.. I'm seeing this being blocked: WAN x.x.x.x:52336 10.0.0.10:54473 TCP shouldn't that be handled by the helper then? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP question
On 4/29/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: Do I need a permit on the WAN interface for passive ports? No, the FTP helper automatically installs rules. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Passive FTP - sorry
Both pfSense boxes are using 4-08-2006 snapshot. I'll give the sync command a try. - Jason -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 3:21 PM To: support@pfsense.com Subject: Re: [pfSense Support] Passive FTP - sorry This was fixed a few days ago. cvs_sync.sh releng_1 or update to the latest snapshot. On 4/11/06, Jason J Ellingson <[EMAIL PROTECTED]> wrote: > Sorry... But I seem to be brain dead... > > Co-location server (Downtown): > I have an FTP server behind a 1:1 NAT on the OPT1 interface and FTP > Proxy enabled only on OPT1 (disabled/checked on WAN). > > Personal client (Home): > I have an FTP client behind a normal NAT on the LAN interface and FTP > Proxy enabled only on LAN (disabled/checked on WAN). > > Active FTP works fine. However, passive does not. > > The "PASV" is sent by the client and seen by the server just fine. > The "227 Entering Passive Mode (10,0,0,2,5,24)" is sent back by the > sever, but the client does not see it at all. > > Is the 1:1 NAT confusing the OPT1 FTP Proxy? Perhaps the proxy is > resending the packet out the WAN using the pfSense WAN IP and not the > external IP in the 1:1 NAT that it should. Sound right? It would > explain why the client isn't seeing it... The packet is coming from the wrong IP. > > - Jason > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP - sorry
This was fixed a few days ago. cvs_sync.sh releng_1 or update to the latest snapshot. On 4/11/06, Jason J Ellingson <[EMAIL PROTECTED]> wrote: > Sorry... But I seem to be brain dead... > > Co-location server (Downtown): > I have an FTP server behind a 1:1 NAT on the OPT1 interface and FTP Proxy > enabled only on OPT1 (disabled/checked on WAN). > > Personal client (Home): > I have an FTP client behind a normal NAT on the LAN interface and FTP Proxy > enabled only on LAN (disabled/checked on WAN). > > Active FTP works fine. However, passive does not. > > The "PASV" is sent by the client and seen by the server just fine. > The "227 Entering Passive Mode (10,0,0,2,5,24)" is sent back by the sever, > but the client does not see it at all. > > Is the 1:1 NAT confusing the OPT1 FTP Proxy? Perhaps the proxy is resending > the packet out the WAN using the pfSense WAN IP and not the external IP in > the 1:1 NAT that it should. Sound right? It would explain why the client > isn't seeing it... The packet is coming from the wrong IP. > > - Jason > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP out of the DMZ
On Mon, 2006-03-27 at 17:39 -0500, Scott Ullrich wrote: > It may look okay, but does it work? :) appears to be, it was only effecting my outbound passive ftp from the dmz, not to big of concern at the moment... I'll check more later. thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP out of the DMZ
It may look okay, but does it work? :) On 3/27/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > Sorry I guess I misread it, it all looks good now. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP out of the DMZ
Sorry I guess I misread it, it all looks good now.
On Mon, 2006-03-27 at 17:01 -0500, Scott Ullrich wrote:
> The pass rule for 8021 is further up. Why is this not correct?
>
> On 3/27/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote:
> > It's still not coming up quite right I believe:
> >
> > lan = "{ bge0 }"
> > wan = "{ xl0 carp0 ng0 }"
> > DMZ = "{ em0 }"
> > SYNC = "{ em1 }"
> >
> > rdr on $lan proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> > rdr on $DMZ proto tcp from any to any port 21 -> 127.0.0.1 port 8022
> >
> > # enable ftp-proxy
> > pass in quick on em0 inet proto tcp from any to $loopback port 8022 keep
> > state label "FTP PROXY: Allow traffic to localhost"
> > pass in quick on em0 inet proto tcp from any to $loopback port 21 keep
> > state label "FTP PROXY: Allow traffic to localhost"
> > pass in quick on em1 inet proto tcp from any to $loopback port 8023 keep
> > state label "FTP PROXY: Allow traffic to localhost"
> > pass in quick on em1 inet proto tcp from any to $loopback port 21 keep
> > state label "FTP PROXY: Allow traffic to localhost"
> >
> >
> >
> >
> >
> > On Sun, 2006-03-26 at 13:44 -0500, Scott Ullrich wrote:
> > > If you are running on a full install, please issue:
> > >
> > > cvs_sync.sh releng_1 && /etc/rc.filter_configure
> > >
> > > And see if the problem is fixed.
> > >
> > > Thanks!
> > >
> > >
> > >
> > > On 3/25/06, Scott Ullrich <[EMAIL PROTECTED]> wrote:
> > > > Yep, that'll do it. I'll get that fixed up in a sec.
> > > >
> > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote:
> > > > > I'm not sure if this helps, in the rules.debug I see:
> > > > >
> > > > > # FTP Proxy/helper
> > > > > rdr on $lan proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> > > > > rdr on $DMZ proto tcp from any to any port 21 -> 127.0.0.1 port 8022
> > > > >
> > > > > and below that a little ways:
> > > > >
> > > > > # enable ftp-proxy
> > > > > pass in quick on em0 inet proto tcp from any to $loopback port 8021
> > > > > keep
> > > > > state label "FTP PROXY: Allow traffic to localhost"
> > > > > pass in quick on em0 inet proto tcp from any to $loopback port 21 keep
> > > > > state label "FTP PROXY: Allow traffic to localhost"
> > > > > pass in quick on em1 inet proto tcp from any to $loopback port 8021
> > > > > keep
> > > > > state label "FTP PROXY: Allow traffic to localhost"
> > > > > pass in quick on em1 inet proto tcp from any to $loopback port 21 keep
> > > > > state label "FTP PROXY: Allow traffic to localhost"
> > > > >
> > > > >
> > > > > em0 is my DMZ interface, and I believe that rule above should be 8022
> > > > > and not 8021
> > > > >
> > > > >
> > > > >
> > > > > On Sat, 2006-03-25 at 15:53 -0500, Scott Ullrich wrote:
> > > > > > I fixed some FTP helper issues on inbound from WAN->LAN[DMZ], etc.
> > > > > > Try cvs_sync.sh releng_1 and see if it helps. Otherwise after
> > > > > > bootup
> > > > > > you have to run /etc/rc.filter_configure a second time for it to
> > > > > > install the helper correctly.
> > > > > >
> > > > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote:
> > > > > > > I don't think thats it, I have that rule on my LAN and the DMZ
> > > > > > > interfaces, but it's not working. It now appears that as well
> > > > > > > inbound
> > > > > > > FTP is not working at all.
> > > > > > >
> > > > > > > more info in a bit, spam assassin has just died on me
> > > > > > >
> > > > > > > On Sat, 2006-03-25 at 12:50 -0500, Scott Ullrich wrote:
> > > > > > > > Maybe this will help?
> > > > > > > >
> > > > > > > > http://faq.pfsense.com/index.php?action=artikel&cat=10&id=103&artlang=en&highlight=ftp
> > > > > > > >
> > > > > > > >
> > > > > > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote:
> > > > > > > > > I don't have outbound passive FTP working for machines in the
> > > > > > > > > DMZ, what
> > > > > > > > > the heck am I missing?
> > > > > > > > >
> > > > > > > > > I see the default block rule is blocking it, what am I
> > > > > > > > > missing?
> > > > > > > > >
> > > > > > > > > heres from the status log:
> > > > > > > > >
> > > > > > > > > DMZ 10.1.1.150:61272X.X.X.X:50105 TCP
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > -
> > > > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > > -
> > > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -
> > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > >
> > >
Re: [pfSense Support] Passive FTP out of the DMZ
The pass rule for 8021 is further up. Why is this not correct?
On 3/27/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote:
> It's still not coming up quite right I believe:
>
> lan = "{ bge0 }"
> wan = "{ xl0 carp0 ng0 }"
> DMZ = "{ em0 }"
> SYNC = "{ em1 }"
>
> rdr on $lan proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> rdr on $DMZ proto tcp from any to any port 21 -> 127.0.0.1 port 8022
>
> # enable ftp-proxy
> pass in quick on em0 inet proto tcp from any to $loopback port 8022 keep
> state label "FTP PROXY: Allow traffic to localhost"
> pass in quick on em0 inet proto tcp from any to $loopback port 21 keep
> state label "FTP PROXY: Allow traffic to localhost"
> pass in quick on em1 inet proto tcp from any to $loopback port 8023 keep
> state label "FTP PROXY: Allow traffic to localhost"
> pass in quick on em1 inet proto tcp from any to $loopback port 21 keep
> state label "FTP PROXY: Allow traffic to localhost"
>
>
>
>
>
> On Sun, 2006-03-26 at 13:44 -0500, Scott Ullrich wrote:
> > If you are running on a full install, please issue:
> >
> > cvs_sync.sh releng_1 && /etc/rc.filter_configure
> >
> > And see if the problem is fixed.
> >
> > Thanks!
> >
> >
> >
> > On 3/25/06, Scott Ullrich <[EMAIL PROTECTED]> wrote:
> > > Yep, that'll do it. I'll get that fixed up in a sec.
> > >
> > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote:
> > > > I'm not sure if this helps, in the rules.debug I see:
> > > >
> > > > # FTP Proxy/helper
> > > > rdr on $lan proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> > > > rdr on $DMZ proto tcp from any to any port 21 -> 127.0.0.1 port 8022
> > > >
> > > > and below that a little ways:
> > > >
> > > > # enable ftp-proxy
> > > > pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep
> > > > state label "FTP PROXY: Allow traffic to localhost"
> > > > pass in quick on em0 inet proto tcp from any to $loopback port 21 keep
> > > > state label "FTP PROXY: Allow traffic to localhost"
> > > > pass in quick on em1 inet proto tcp from any to $loopback port 8021 keep
> > > > state label "FTP PROXY: Allow traffic to localhost"
> > > > pass in quick on em1 inet proto tcp from any to $loopback port 21 keep
> > > > state label "FTP PROXY: Allow traffic to localhost"
> > > >
> > > >
> > > > em0 is my DMZ interface, and I believe that rule above should be 8022
> > > > and not 8021
> > > >
> > > >
> > > >
> > > > On Sat, 2006-03-25 at 15:53 -0500, Scott Ullrich wrote:
> > > > > I fixed some FTP helper issues on inbound from WAN->LAN[DMZ], etc.
> > > > > Try cvs_sync.sh releng_1 and see if it helps. Otherwise after bootup
> > > > > you have to run /etc/rc.filter_configure a second time for it to
> > > > > install the helper correctly.
> > > > >
> > > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote:
> > > > > > I don't think thats it, I have that rule on my LAN and the DMZ
> > > > > > interfaces, but it's not working. It now appears that as well
> > > > > > inbound
> > > > > > FTP is not working at all.
> > > > > >
> > > > > > more info in a bit, spam assassin has just died on me
> > > > > >
> > > > > > On Sat, 2006-03-25 at 12:50 -0500, Scott Ullrich wrote:
> > > > > > > Maybe this will help?
> > > > > > >
> > > > > > > http://faq.pfsense.com/index.php?action=artikel&cat=10&id=103&artlang=en&highlight=ftp
> > > > > > >
> > > > > > >
> > > > > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote:
> > > > > > > > I don't have outbound passive FTP working for machines in the
> > > > > > > > DMZ, what
> > > > > > > > the heck am I missing?
> > > > > > > >
> > > > > > > > I see the default block rule is blocking it, what am I missing?
> > > > > > > >
> > > > > > > > heres from the status log:
> > > > > > > >
> > > > > > > > DMZ 10.1.1.150:61272X.X.X.X:50105 TCP
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > -
> > > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > -
> > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > -
> > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > >
> > > > > >
> > > > >
> > > > > -
> > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > >
> > > > >
> > > >
> > > >
> > > > -
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additiona
Re: [pfSense Support] Passive FTP out of the DMZ
It's still not coming up quite right I believe:
lan = "{ bge0 }"
wan = "{ xl0 carp0 ng0 }"
DMZ = "{ em0 }"
SYNC = "{ em1 }"
rdr on $lan proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $DMZ proto tcp from any to any port 21 -> 127.0.0.1 port 8022
# enable ftp-proxy
pass in quick on em0 inet proto tcp from any to $loopback port 8022 keep
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em0 inet proto tcp from any to $loopback port 21 keep
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em1 inet proto tcp from any to $loopback port 8023 keep
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em1 inet proto tcp from any to $loopback port 21 keep
state label "FTP PROXY: Allow traffic to localhost"
On Sun, 2006-03-26 at 13:44 -0500, Scott Ullrich wrote:
> If you are running on a full install, please issue:
>
> cvs_sync.sh releng_1 && /etc/rc.filter_configure
>
> And see if the problem is fixed.
>
> Thanks!
>
>
>
> On 3/25/06, Scott Ullrich <[EMAIL PROTECTED]> wrote:
> > Yep, that'll do it. I'll get that fixed up in a sec.
> >
> > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote:
> > > I'm not sure if this helps, in the rules.debug I see:
> > >
> > > # FTP Proxy/helper
> > > rdr on $lan proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> > > rdr on $DMZ proto tcp from any to any port 21 -> 127.0.0.1 port 8022
> > >
> > > and below that a little ways:
> > >
> > > # enable ftp-proxy
> > > pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep
> > > state label "FTP PROXY: Allow traffic to localhost"
> > > pass in quick on em0 inet proto tcp from any to $loopback port 21 keep
> > > state label "FTP PROXY: Allow traffic to localhost"
> > > pass in quick on em1 inet proto tcp from any to $loopback port 8021 keep
> > > state label "FTP PROXY: Allow traffic to localhost"
> > > pass in quick on em1 inet proto tcp from any to $loopback port 21 keep
> > > state label "FTP PROXY: Allow traffic to localhost"
> > >
> > >
> > > em0 is my DMZ interface, and I believe that rule above should be 8022
> > > and not 8021
> > >
> > >
> > >
> > > On Sat, 2006-03-25 at 15:53 -0500, Scott Ullrich wrote:
> > > > I fixed some FTP helper issues on inbound from WAN->LAN[DMZ], etc.
> > > > Try cvs_sync.sh releng_1 and see if it helps. Otherwise after bootup
> > > > you have to run /etc/rc.filter_configure a second time for it to
> > > > install the helper correctly.
> > > >
> > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote:
> > > > > I don't think thats it, I have that rule on my LAN and the DMZ
> > > > > interfaces, but it's not working. It now appears that as well inbound
> > > > > FTP is not working at all.
> > > > >
> > > > > more info in a bit, spam assassin has just died on me
> > > > >
> > > > > On Sat, 2006-03-25 at 12:50 -0500, Scott Ullrich wrote:
> > > > > > Maybe this will help?
> > > > > >
> > > > > > http://faq.pfsense.com/index.php?action=artikel&cat=10&id=103&artlang=en&highlight=ftp
> > > > > >
> > > > > >
> > > > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote:
> > > > > > > I don't have outbound passive FTP working for machines in the
> > > > > > > DMZ, what
> > > > > > > the heck am I missing?
> > > > > > >
> > > > > > > I see the default block rule is blocking it, what am I missing?
> > > > > > >
> > > > > > > heres from the status log:
> > > > > > >
> > > > > > > DMZ 10.1.1.150:61272X.X.X.X:50105 TCP
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -
> > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > -
> > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > -
> > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > >
> > > > >
> > > >
> > > > -
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > >
> > > >
> > >
> > >
> > > -
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands,
Re: [pfSense Support] Passive FTP out of the DMZ
If you are running on a full install, please issue: cvs_sync.sh releng_1 && /etc/rc.filter_configure And see if the problem is fixed. Thanks! On 3/25/06, Scott Ullrich <[EMAIL PROTECTED]> wrote: > Yep, that'll do it. I'll get that fixed up in a sec. > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > I'm not sure if this helps, in the rules.debug I see: > > > > # FTP Proxy/helper > > rdr on $lan proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > > rdr on $DMZ proto tcp from any to any port 21 -> 127.0.0.1 port 8022 > > > > and below that a little ways: > > > > # enable ftp-proxy > > pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep > > state label "FTP PROXY: Allow traffic to localhost" > > pass in quick on em0 inet proto tcp from any to $loopback port 21 keep > > state label "FTP PROXY: Allow traffic to localhost" > > pass in quick on em1 inet proto tcp from any to $loopback port 8021 keep > > state label "FTP PROXY: Allow traffic to localhost" > > pass in quick on em1 inet proto tcp from any to $loopback port 21 keep > > state label "FTP PROXY: Allow traffic to localhost" > > > > > > em0 is my DMZ interface, and I believe that rule above should be 8022 > > and not 8021 > > > > > > > > On Sat, 2006-03-25 at 15:53 -0500, Scott Ullrich wrote: > > > I fixed some FTP helper issues on inbound from WAN->LAN[DMZ], etc. > > > Try cvs_sync.sh releng_1 and see if it helps. Otherwise after bootup > > > you have to run /etc/rc.filter_configure a second time for it to > > > install the helper correctly. > > > > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > I don't think thats it, I have that rule on my LAN and the DMZ > > > > interfaces, but it's not working. It now appears that as well inbound > > > > FTP is not working at all. > > > > > > > > more info in a bit, spam assassin has just died on me > > > > > > > > On Sat, 2006-03-25 at 12:50 -0500, Scott Ullrich wrote: > > > > > Maybe this will help? > > > > > > > > > > http://faq.pfsense.com/index.php?action=artikel&cat=10&id=103&artlang=en&highlight=ftp > > > > > > > > > > > > > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > > > I don't have outbound passive FTP working for machines in the DMZ, > > > > > > what > > > > > > the heck am I missing? > > > > > > > > > > > > I see the default block rule is blocking it, what am I missing? > > > > > > > > > > > > heres from the status log: > > > > > > > > > > > > DMZ 10.1.1.150:61272X.X.X.X:50105 TCP > > > > > > > > > > > > > > > > > > > > > > > > - > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > - > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > - > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP out of the DMZ
Yep, that'll do it. I'll get that fixed up in a sec. On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > I'm not sure if this helps, in the rules.debug I see: > > # FTP Proxy/helper > rdr on $lan proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > rdr on $DMZ proto tcp from any to any port 21 -> 127.0.0.1 port 8022 > > and below that a little ways: > > # enable ftp-proxy > pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep > state label "FTP PROXY: Allow traffic to localhost" > pass in quick on em0 inet proto tcp from any to $loopback port 21 keep > state label "FTP PROXY: Allow traffic to localhost" > pass in quick on em1 inet proto tcp from any to $loopback port 8021 keep > state label "FTP PROXY: Allow traffic to localhost" > pass in quick on em1 inet proto tcp from any to $loopback port 21 keep > state label "FTP PROXY: Allow traffic to localhost" > > > em0 is my DMZ interface, and I believe that rule above should be 8022 > and not 8021 > > > > On Sat, 2006-03-25 at 15:53 -0500, Scott Ullrich wrote: > > I fixed some FTP helper issues on inbound from WAN->LAN[DMZ], etc. > > Try cvs_sync.sh releng_1 and see if it helps. Otherwise after bootup > > you have to run /etc/rc.filter_configure a second time for it to > > install the helper correctly. > > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > I don't think thats it, I have that rule on my LAN and the DMZ > > > interfaces, but it's not working. It now appears that as well inbound > > > FTP is not working at all. > > > > > > more info in a bit, spam assassin has just died on me > > > > > > On Sat, 2006-03-25 at 12:50 -0500, Scott Ullrich wrote: > > > > Maybe this will help? > > > > > > > > http://faq.pfsense.com/index.php?action=artikel&cat=10&id=103&artlang=en&highlight=ftp > > > > > > > > > > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > > I don't have outbound passive FTP working for machines in the DMZ, > > > > > what > > > > > the heck am I missing? > > > > > > > > > > I see the default block rule is blocking it, what am I missing? > > > > > > > > > > heres from the status log: > > > > > > > > > > DMZ 10.1.1.150:61272X.X.X.X:50105 TCP > > > > > > > > > > > > > > > > > > > > - > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > - > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP out of the DMZ
I'm not sure if this helps, in the rules.debug I see: # FTP Proxy/helper rdr on $lan proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr on $DMZ proto tcp from any to any port 21 -> 127.0.0.1 port 8022 and below that a little ways: # enable ftp-proxy pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em1 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em1 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" em0 is my DMZ interface, and I believe that rule above should be 8022 and not 8021 On Sat, 2006-03-25 at 15:53 -0500, Scott Ullrich wrote: > I fixed some FTP helper issues on inbound from WAN->LAN[DMZ], etc. > Try cvs_sync.sh releng_1 and see if it helps. Otherwise after bootup > you have to run /etc/rc.filter_configure a second time for it to > install the helper correctly. > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > I don't think thats it, I have that rule on my LAN and the DMZ > > interfaces, but it's not working. It now appears that as well inbound > > FTP is not working at all. > > > > more info in a bit, spam assassin has just died on me > > > > On Sat, 2006-03-25 at 12:50 -0500, Scott Ullrich wrote: > > > Maybe this will help? > > > > > > http://faq.pfsense.com/index.php?action=artikel&cat=10&id=103&artlang=en&highlight=ftp > > > > > > > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > I don't have outbound passive FTP working for machines in the DMZ, what > > > > the heck am I missing? > > > > > > > > I see the default block rule is blocking it, what am I missing? > > > > > > > > heres from the status log: > > > > > > > > DMZ 10.1.1.150:61272X.X.X.X:50105 TCP > > > > > > > > > > > > > > > > - > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP out of the DMZ
I fixed some FTP helper issues on inbound from WAN->LAN[DMZ], etc. Try cvs_sync.sh releng_1 and see if it helps. Otherwise after bootup you have to run /etc/rc.filter_configure a second time for it to install the helper correctly. On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > I don't think thats it, I have that rule on my LAN and the DMZ > interfaces, but it's not working. It now appears that as well inbound > FTP is not working at all. > > more info in a bit, spam assassin has just died on me > > On Sat, 2006-03-25 at 12:50 -0500, Scott Ullrich wrote: > > Maybe this will help? > > > > http://faq.pfsense.com/index.php?action=artikel&cat=10&id=103&artlang=en&highlight=ftp > > > > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > I don't have outbound passive FTP working for machines in the DMZ, what > > > the heck am I missing? > > > > > > I see the default block rule is blocking it, what am I missing? > > > > > > heres from the status log: > > > > > > DMZ 10.1.1.150:61272X.X.X.X:50105 TCP > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP out of the DMZ
I don't think thats it, I have that rule on my LAN and the DMZ interfaces, but it's not working. It now appears that as well inbound FTP is not working at all. more info in a bit, spam assassin has just died on me On Sat, 2006-03-25 at 12:50 -0500, Scott Ullrich wrote: > Maybe this will help? > > http://faq.pfsense.com/index.php?action=artikel&cat=10&id=103&artlang=en&highlight=ftp > > > On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > I don't have outbound passive FTP working for machines in the DMZ, what > > the heck am I missing? > > > > I see the default block rule is blocking it, what am I missing? > > > > heres from the status log: > > > > DMZ 10.1.1.150:61272X.X.X.X:50105 TCP > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP out of the DMZ
Maybe this will help? http://faq.pfsense.com/index.php?action=artikel&cat=10&id=103&artlang=en&highlight=ftp On 3/25/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > I don't have outbound passive FTP working for machines in the DMZ, what > the heck am I missing? > > I see the default block rule is blocking it, what am I missing? > > heres from the status log: > > DMZ 10.1.1.150:61272X.X.X.X:50105 TCP > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp out of my DMZ is not working
Great! Glad its solved. Scott On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > So daily I use the term PEBKAC when referring to some of the silly > problems I tend to see people come to me with on a day to day basis. > Well this problem turns out is my own PEBKAC. There was an old entry for > a PROXY ARP that was causing the problem, all is good now. > > Thanks Scott for your help, as well as your work on this project. It has > saved me from having to use a PIX or some other commercial product I > don't like. FreeBSD and PF are awesome. > > On Thu, 2006-03-02 at 11:32 -0800, Derrick MacPherson wrote: > > ya I knew that, sorry I wasn't sure where else that was listed, I keep > > forgetting about the default page: > > > > TESTING-SNAPSHOT-02-20-06 > > > > On Thu, 2006-03-02 at 14:29 -0500, Scott Ullrich wrote: > > > Ignore auto update, its not working. You need to check the firmware > > > version on the main status page. > > > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > The firmware autoupdate shows me running > > > > 1.0b2rc5 > > > > > > > > On Thu, 2006-03-02 at 14:24 -0500, Scott Ullrich wrote: > > > > > Sounds like the bug we fixed after beta1, honestly... > > > > > > > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > > > currently: > > > > > > > > > > > > x.x.x.89 is the WAN interface > > > > > > x.x.x.68 is the IP binat'd to 10.1.1.150 in the DMZ > > > > > > > > > > > > > > > > > > If I disable binat to the DMZ machine, outbound passive FTP will > > > > > > work, > > > > > > but then the machine is not accessible via x.x.x.68 > > > > > > > > > > > > does that help? > > > > > > > > > > > > > > > > > > On Thu, 2006-03-02 at 14:13 -0500, Scott Ullrich wrote: > > > > > > > Shouldnt need to do any of this, no. I'll try to make some time > > > > > > > to > > > > > > > bring up a box and test this but my next 4 days are going to be > > > > > > > tough > > > > > > > to find extra time. > > > > > > > > > > > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > > > > > On Thu, 2006-03-02 at 14:02 -0500, Scott Ullrich wrote: > > > > > > > > > Looks fine to me. Not really sure what is going on as FTP > > > > > > > > > works fine here. > > > > > > > > > > > > > > > > Like I said, works fine on the LAN interface, not the DMZ > > > > > > > > interface. > > > > > > > > Perhaps there's something else in the pfsense config i'm > > > > > > > > missing. > > > > > > > > > > > > > > > > do I have to set a 1:1 NAT for the machines in my non-routable > > > > > > > > DMZ? > > > > > > > > > > > > > > > > or any changes to be made to the Outbound NAT? > > > > > > > > > > > > > > > > > > > > > > > > - > > > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - > > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > - > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > - > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp out of my DMZ is not working
So daily I use the term PEBKAC when referring to some of the silly problems I tend to see people come to me with on a day to day basis. Well this problem turns out is my own PEBKAC. There was an old entry for a PROXY ARP that was causing the problem, all is good now. Thanks Scott for your help, as well as your work on this project. It has saved me from having to use a PIX or some other commercial product I don't like. FreeBSD and PF are awesome. On Thu, 2006-03-02 at 11:32 -0800, Derrick MacPherson wrote: > ya I knew that, sorry I wasn't sure where else that was listed, I keep > forgetting about the default page: > > TESTING-SNAPSHOT-02-20-06 > > On Thu, 2006-03-02 at 14:29 -0500, Scott Ullrich wrote: > > Ignore auto update, its not working. You need to check the firmware > > version on the main status page. > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > The firmware autoupdate shows me running > > > 1.0b2rc5 > > > > > > On Thu, 2006-03-02 at 14:24 -0500, Scott Ullrich wrote: > > > > Sounds like the bug we fixed after beta1, honestly... > > > > > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > > currently: > > > > > > > > > > x.x.x.89 is the WAN interface > > > > > x.x.x.68 is the IP binat'd to 10.1.1.150 in the DMZ > > > > > > > > > > > > > > > If I disable binat to the DMZ machine, outbound passive FTP will work, > > > > > but then the machine is not accessible via x.x.x.68 > > > > > > > > > > does that help? > > > > > > > > > > > > > > > On Thu, 2006-03-02 at 14:13 -0500, Scott Ullrich wrote: > > > > > > Shouldnt need to do any of this, no. I'll try to make some time to > > > > > > bring up a box and test this but my next 4 days are going to be > > > > > > tough > > > > > > to find extra time. > > > > > > > > > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > > > > On Thu, 2006-03-02 at 14:02 -0500, Scott Ullrich wrote: > > > > > > > > Looks fine to me. Not really sure what is going on as FTP > > > > > > > > works fine here. > > > > > > > > > > > > > > Like I said, works fine on the LAN interface, not the DMZ > > > > > > > interface. > > > > > > > Perhaps there's something else in the pfsense config i'm missing. > > > > > > > > > > > > > > do I have to set a 1:1 NAT for the machines in my non-routable > > > > > > > DMZ? > > > > > > > > > > > > > > or any changes to be made to the Outbound NAT? > > > > > > > > > > > > > > > > > > > > > - > > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > - > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > - > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > - > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp out of my DMZ is not working
ya I knew that, sorry I wasn't sure where else that was listed, I keep forgetting about the default page: TESTING-SNAPSHOT-02-20-06 On Thu, 2006-03-02 at 14:29 -0500, Scott Ullrich wrote: > Ignore auto update, its not working. You need to check the firmware > version on the main status page. > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > The firmware autoupdate shows me running > > 1.0b2rc5 > > > > On Thu, 2006-03-02 at 14:24 -0500, Scott Ullrich wrote: > > > Sounds like the bug we fixed after beta1, honestly... > > > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > currently: > > > > > > > > x.x.x.89 is the WAN interface > > > > x.x.x.68 is the IP binat'd to 10.1.1.150 in the DMZ > > > > > > > > > > > > If I disable binat to the DMZ machine, outbound passive FTP will work, > > > > but then the machine is not accessible via x.x.x.68 > > > > > > > > does that help? > > > > > > > > > > > > On Thu, 2006-03-02 at 14:13 -0500, Scott Ullrich wrote: > > > > > Shouldnt need to do any of this, no. I'll try to make some time to > > > > > bring up a box and test this but my next 4 days are going to be tough > > > > > to find extra time. > > > > > > > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > > > On Thu, 2006-03-02 at 14:02 -0500, Scott Ullrich wrote: > > > > > > > Looks fine to me. Not really sure what is going on as FTP works > > > > > > > fine here. > > > > > > > > > > > > Like I said, works fine on the LAN interface, not the DMZ interface. > > > > > > Perhaps there's something else in the pfsense config i'm missing. > > > > > > > > > > > > do I have to set a 1:1 NAT for the machines in my non-routable DMZ? > > > > > > > > > > > > or any changes to be made to the Outbound NAT? > > > > > > > > > > > > > > > > > > - > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > - > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > - > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp out of my DMZ is not working
Ignore auto update, its not working. You need to check the firmware version on the main status page. On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > The firmware autoupdate shows me running > 1.0b2rc5 > > On Thu, 2006-03-02 at 14:24 -0500, Scott Ullrich wrote: > > Sounds like the bug we fixed after beta1, honestly... > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > currently: > > > > > > x.x.x.89 is the WAN interface > > > x.x.x.68 is the IP binat'd to 10.1.1.150 in the DMZ > > > > > > > > > If I disable binat to the DMZ machine, outbound passive FTP will work, > > > but then the machine is not accessible via x.x.x.68 > > > > > > does that help? > > > > > > > > > On Thu, 2006-03-02 at 14:13 -0500, Scott Ullrich wrote: > > > > Shouldnt need to do any of this, no. I'll try to make some time to > > > > bring up a box and test this but my next 4 days are going to be tough > > > > to find extra time. > > > > > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > > On Thu, 2006-03-02 at 14:02 -0500, Scott Ullrich wrote: > > > > > > Looks fine to me. Not really sure what is going on as FTP works > > > > > > fine here. > > > > > > > > > > Like I said, works fine on the LAN interface, not the DMZ interface. > > > > > Perhaps there's something else in the pfsense config i'm missing. > > > > > > > > > > do I have to set a 1:1 NAT for the machines in my non-routable DMZ? > > > > > > > > > > or any changes to be made to the Outbound NAT? > > > > > > > > > > > > > > > - > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > - > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp out of my DMZ is not working
The firmware autoupdate shows me running 1.0b2rc5 On Thu, 2006-03-02 at 14:24 -0500, Scott Ullrich wrote: > Sounds like the bug we fixed after beta1, honestly... > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > currently: > > > > x.x.x.89 is the WAN interface > > x.x.x.68 is the IP binat'd to 10.1.1.150 in the DMZ > > > > > > If I disable binat to the DMZ machine, outbound passive FTP will work, > > but then the machine is not accessible via x.x.x.68 > > > > does that help? > > > > > > On Thu, 2006-03-02 at 14:13 -0500, Scott Ullrich wrote: > > > Shouldnt need to do any of this, no. I'll try to make some time to > > > bring up a box and test this but my next 4 days are going to be tough > > > to find extra time. > > > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > On Thu, 2006-03-02 at 14:02 -0500, Scott Ullrich wrote: > > > > > Looks fine to me. Not really sure what is going on as FTP works fine > > > > > here. > > > > > > > > Like I said, works fine on the LAN interface, not the DMZ interface. > > > > Perhaps there's something else in the pfsense config i'm missing. > > > > > > > > do I have to set a 1:1 NAT for the machines in my non-routable DMZ? > > > > > > > > or any changes to be made to the Outbound NAT? > > > > > > > > > > > > - > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp out of my DMZ is not working
On Mar 2, 2006, at 2:12 PM, Derrick MacPherson wrote: Like I said, works fine on the LAN interface, not the DMZ interface. Perhaps there's something else in the pfsense config i'm missing. do I have to set a 1:1 NAT for the machines in my non-routable DMZ? with snapshot 02-20-06 I have found that some remote sites work to fetch via ftp (passive or otherwise) while others do not, from my 1:1 NATted host on my LAN (no DMZ here). ftp to all hosts works flawlessly for other clients that are just normal NATs. I haven't figured out a pattern yet as to when it works and when it doesn't. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp out of my DMZ is not working
Sounds like the bug we fixed after beta1, honestly... On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > currently: > > x.x.x.89 is the WAN interface > x.x.x.68 is the IP binat'd to 10.1.1.150 in the DMZ > > > If I disable binat to the DMZ machine, outbound passive FTP will work, > but then the machine is not accessible via x.x.x.68 > > does that help? > > > On Thu, 2006-03-02 at 14:13 -0500, Scott Ullrich wrote: > > Shouldnt need to do any of this, no. I'll try to make some time to > > bring up a box and test this but my next 4 days are going to be tough > > to find extra time. > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > On Thu, 2006-03-02 at 14:02 -0500, Scott Ullrich wrote: > > > > Looks fine to me. Not really sure what is going on as FTP works fine > > > > here. > > > > > > Like I said, works fine on the LAN interface, not the DMZ interface. > > > Perhaps there's something else in the pfsense config i'm missing. > > > > > > do I have to set a 1:1 NAT for the machines in my non-routable DMZ? > > > > > > or any changes to be made to the Outbound NAT? > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp out of my DMZ is not working
currently: x.x.x.89 is the WAN interface x.x.x.68 is the IP binat'd to 10.1.1.150 in the DMZ If I disable binat to the DMZ machine, outbound passive FTP will work, but then the machine is not accessible via x.x.x.68 does that help? On Thu, 2006-03-02 at 14:13 -0500, Scott Ullrich wrote: > Shouldnt need to do any of this, no. I'll try to make some time to > bring up a box and test this but my next 4 days are going to be tough > to find extra time. > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > On Thu, 2006-03-02 at 14:02 -0500, Scott Ullrich wrote: > > > Looks fine to me. Not really sure what is going on as FTP works fine > > > here. > > > > Like I said, works fine on the LAN interface, not the DMZ interface. > > Perhaps there's something else in the pfsense config i'm missing. > > > > do I have to set a 1:1 NAT for the machines in my non-routable DMZ? > > > > or any changes to be made to the Outbound NAT? > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp out of my DMZ is not working
Shouldnt need to do any of this, no. I'll try to make some time to bring up a box and test this but my next 4 days are going to be tough to find extra time. On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > On Thu, 2006-03-02 at 14:02 -0500, Scott Ullrich wrote: > > Looks fine to me. Not really sure what is going on as FTP works fine here. > > Like I said, works fine on the LAN interface, not the DMZ interface. > Perhaps there's something else in the pfsense config i'm missing. > > do I have to set a 1:1 NAT for the machines in my non-routable DMZ? > > or any changes to be made to the Outbound NAT? > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp out of my DMZ is not working
On Thu, 2006-03-02 at 14:02 -0500, Scott Ullrich wrote: > Looks fine to me. Not really sure what is going on as FTP works fine here. Like I said, works fine on the LAN interface, not the DMZ interface. Perhaps there's something else in the pfsense config i'm missing. do I have to set a 1:1 NAT for the machines in my non-routable DMZ? or any changes to be made to the Outbound NAT? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp out of my DMZ is not working
On Thu, 2006-03-02 at 12:12 -0500, Scott Ullrich wrote: > FTP is handled by rules behind the scene. The rules you are showing > us mean nothing to it. Sorry this might be a bit ugly sending everything, but here goes: scrub on xl0 all fragment reassemble anchor "ftpsesame/*" all anchor "firewallrules" all anchor "loopback" all pass in quick on lo0 all label "pass loopback" pass out quick on lo0 all label "pass loopback" anchor "packageearly" all anchor "carp" all pass in quick on em0 inet proto tcp from any to (lo0) port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on em0 inet proto tcp from any to (lo0) port = ftp keep state label "FTP PROXY: Allow traffic to localhost" anchor "ftpproxy" all anchor "pftpx/*" all pass in quick on bge0 inet proto tcp from any to (lo0) port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on bge0 inet proto tcp from any to (lo0) port = ftp keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on xl0 inet proto tcp from any port = ftp-data to (xl0) port > 49000 user = 62 flags S/SA keep state label "FTP PROXY: PASV mode data connection" anchor "dhcpserverlan" all pass in quick on bge0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps label "allow access to DHCP server on LAN" pass in quick on bge0 inet proto udp from any port = bootpc to 172.16.128.15 port = bootps label "allow access to DHCP server on LAN" pass out quick on bge0 inet proto udp from 172.16.128.15 port = bootps to any port = bootpc label "allow access to DHCP server on LAN" anchor "dhcpserver" all pass in quick on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps label "allow access to DHCP server" pass in quick on em0 inet proto udp from any port = bootpc to 10.1.1.1 port = bootps label "allow access to DHCP server" pass out quick on em0 inet proto udp from 10.1.1.1 port = bootps to any port = bootpc label "allow access to DHCP server" pass out on em0 proto icmp all keep state label "allow access to DHCP server" block drop in log quick on xl0 inet from 10.1.1.0/24 to any label "interface spoof check" block drop in log quick on xl0 inet proto udp from any port = bootps to 172.16.128.0/20 port = bootpc label "allow dhcp client out wan" pass in quick on xl0 proto udp from any port = bootps to any port = bootpc label "allow dhcp client out wan" block drop in on ! bge0 inet from 172.16.128.0/20 to any block drop in on bge0 inet6 from fe80::212:3fff:fe2a:1584 to any block drop in inet from 172.16.128.15 to any block drop in on ! em0 inet from 10.1.1.0/24 to any block drop in on em0 inet6 from fe80::20e:cff:fe84:ecc9 to any block drop in inet from 10.1.1.1 to any anchor "limitingesr" all anchor "firewallout" all pass out quick on xl0 all keep state label "let out anything from firewall host itself" pass out quick on bge0 all keep state label "let out anything from firewall host itself" pass out quick on em0 all keep state label "let out anything from firewall host itself" pass out quick on em0 all keep state label "let out anything from firewall host itself" anchor "anti-lockout" all pass in quick inet from 172.16.128.0/20 to 172.16.128.15 keep state label "anti-lockout web rule" block drop in log proto tcp from to any port = ssh label "sshlockout" pass in quick on xl0 proto tcp from any to any port = ssh keep state label "USER_RULE: Allowed incomming ports" pass in quick on xl0 proto tcp from any to any port = ntp keep state label "USER_RULE: Allowed incomming ports" pass in quick on xl0 proto tcp from any to any port = domain keep state label "USER_RULE: Allowed incomming ports" pass in quick on xl0 proto tcp from any to any port = ftp keep state label "USER_RULE: Allowed incomming ports" pass in quick on xl0 proto tcp from any to any port = https keep state label "USER_RULE: Allowed incomming ports" pass in quick on xl0 proto tcp from any to any port = http keep state label "USER_RULE: Allowed incomming ports" pass in quick on xl0 proto udp from any to any port = ssh keep state label "USER_RULE: Allowed incomming ports" pass in quick on xl0 proto udp from any to any port = ntp keep state label "USER_RULE: Allowed incomming ports" pass in quick on xl0 proto udp from any to any port = domain keep state label "USER_RULE: Allowed incomming ports" pass in quick on xl0 proto udp from any to any port = ftp keep state label "USER_RULE: Allowed incomming ports" pass in quick on xl0 proto udp from any to any port = https keep state label "USER_RULE: Allowed incomming ports" pass in quick on xl0 proto udp from any to any port = http keep state label "USER_RULE: Allowed incomming ports" pass in quick on xl0 inet proto tcp from 139.142.2.2 port = domain to any keep state label "USER_RULE" pass in quick on xl0 inet proto tcp from 139.142.2.3 port = domain to any keep state label "USER_RULE" pass in quick on xl0 inet proto udp from 139.142.2.2 port = domain to any keep state label "USER_RULE
Re: [pfSense Support] passive ftp out of my DMZ is not working
Looks fine to me. Not really sure what is going on as FTP works fine here. On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > On Thu, 2006-03-02 at 12:12 -0500, Scott Ullrich wrote: > > FTP is handled by rules behind the scene. The rules you are showing > > us mean nothing to it. > > Sorry this might be a bit ugly sending everything, but here goes: > > > scrub on xl0 all fragment reassemble > anchor "ftpsesame/*" all > anchor "firewallrules" all > anchor "loopback" all > pass in quick on lo0 all label "pass loopback" > pass out quick on lo0 all label "pass loopback" > anchor "packageearly" all > anchor "carp" all > pass in quick on em0 inet proto tcp from any to (lo0) port = ftp-proxy > keep state label "FTP PROXY: Allow traffic to localhost" > pass in quick on em0 inet proto tcp from any to (lo0) port = ftp keep > state label "FTP PROXY: Allow traffic to localhost" > anchor "ftpproxy" all > anchor "pftpx/*" all > pass in quick on bge0 inet proto tcp from any to (lo0) port = ftp-proxy > keep state label "FTP PROXY: Allow traffic to localhost" > pass in quick on bge0 inet proto tcp from any to (lo0) port = ftp keep > state label "FTP PROXY: Allow traffic to localhost" > pass in quick on xl0 inet proto tcp from any port = ftp-data to (xl0) > port > 49000 user = 62 flags S/SA keep state label "FTP PROXY: PASV mode > data connection" > anchor "dhcpserverlan" all > pass in quick on bge0 inet proto udp from any port = bootpc to > 255.255.255.255 port = bootps label "allow access to DHCP server on LAN" > pass in quick on bge0 inet proto udp from any port = bootpc to > 172.16.128.15 port = bootps label "allow access to DHCP server on LAN" > pass out quick on bge0 inet proto udp from 172.16.128.15 port = bootps > to any port = bootpc label "allow access to DHCP server on LAN" > anchor "dhcpserver" all > pass in quick on em0 inet proto udp from any port = bootpc to > 255.255.255.255 port = bootps label "allow access to DHCP server" > pass in quick on em0 inet proto udp from any port = bootpc to 10.1.1.1 > port = bootps label "allow access to DHCP server" > pass out quick on em0 inet proto udp from 10.1.1.1 port = bootps to any > port = bootpc label "allow access to DHCP server" > pass out on em0 proto icmp all keep state label "allow access to DHCP > server" > block drop in log quick on xl0 inet from 10.1.1.0/24 to any label > "interface spoof check" > block drop in log quick on xl0 inet proto udp from any port = bootps to > 172.16.128.0/20 port = bootpc label "allow dhcp client out wan" > pass in quick on xl0 proto udp from any port = bootps to any port = > bootpc label "allow dhcp client out wan" > block drop in on ! bge0 inet from 172.16.128.0/20 to any > block drop in on bge0 inet6 from fe80::212:3fff:fe2a:1584 to any > block drop in inet from 172.16.128.15 to any > block drop in on ! em0 inet from 10.1.1.0/24 to any > block drop in on em0 inet6 from fe80::20e:cff:fe84:ecc9 to any > block drop in inet from 10.1.1.1 to any > anchor "limitingesr" all > anchor "firewallout" all > pass out quick on xl0 all keep state label "let out anything from > firewall host itself" > pass out quick on bge0 all keep state label "let out anything from > firewall host itself" > pass out quick on em0 all keep state label "let out anything from > firewall host itself" > pass out quick on em0 all keep state label "let out anything from > firewall host itself" > anchor "anti-lockout" all > pass in quick inet from 172.16.128.0/20 to 172.16.128.15 keep state > label "anti-lockout web rule" > block drop in log proto tcp from to any port = ssh label > "sshlockout" > pass in quick on xl0 proto tcp from any to any port = ssh keep state > label "USER_RULE: Allowed incomming ports" > pass in quick on xl0 proto tcp from any to any port = ntp keep state > label "USER_RULE: Allowed incomming ports" > pass in quick on xl0 proto tcp from any to any port = domain keep state > label "USER_RULE: Allowed incomming ports" > pass in quick on xl0 proto tcp from any to any port = ftp keep state > label "USER_RULE: Allowed incomming ports" > pass in quick on xl0 proto tcp from any to any port = https keep state > label "USER_RULE: Allowed incomming ports" > pass in quick on xl0 proto tcp from any to any port = http keep state > label "USER_RULE: Allowed incomming ports" > pass in quick on xl0 proto udp from any to any port = ssh keep state > label "USER_RULE: Allowed incomming ports" > pass in quick on xl0 proto udp from any to any port = ntp keep state > label "USER_RULE: Allowed incomming ports" > pass in quick on xl0 proto udp from any to any port = domain keep state > label "USER_RULE: Allowed incomming ports" > pass in quick on xl0 proto udp from any to any port = ftp keep state > label "USER_RULE: Allowed incomming ports" > pass in quick on xl0 proto udp from any to any port = https keep state > label "USER_RULE: Allowed incomming ports" > pass in quick on xl0 proto udp from any to any port = http keep state > label "USER_RULE: Allowed inc
Re: [pfSense Support] passive ftp out of my DMZ is not working
FTP is handled by rules behind the scene. The rules you are showing us mean nothing to it. On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > Hmm. I'm still having the passive FTP issue. It's quite possibly > something in my rules, does anything look borked? > > On Thu, 2006-03-02 at 12:02 -0500, Scott Ullrich wrote: > > Yep, thats it. > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > Thanks Scott, > > > > > > Should I be grabbing > > > > > > http://pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-19-06/ > > > > > > for that? > > > > > > Sorry I'm not quite if this is the latest or if there's some other > > > method to get it > > > > > > On Thu, 2006-03-02 at 10:44 -0500, Scott Ullrich wrote: > > > > Fixed in latest testing snapshot. Please update. > > > > > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > > I'm trying to set up the following: > > > > > > > > > >/ <-> CARP > > > > > WAN int (PFSENSE BOX)<-> LAN > > > > >\<-> DMZ > > > > > > > > > > I want to have nat on the LAN, bi-nat on the DMZ, filtering incoming > > > > > and > > > > > outgoing traffic. I'm close, but I've had issues with trying to get > > > > > this > > > > > all working; I can't get outbound PASV ftp from the DMZ; I just want > > > > > to be sure that > > > > > pfsense is capable before I expend anymore energy on this. I can't > > > > > find > > > > > the traffic being blocked, nor do I see it connecting to the local > > > > > proxy. > > > > > > > > > > Let me know what else I can supply you with, here are some details: > > > > > > > > > > The CARP interface is disabled till I get this working > > > > > > > > > > (for below - x.x.x = external address scheme) > > > > > > > > > > OPT1(DMZ)* -> em0 -> 10.1.1.1 > > > > > LAN* -> bge0-> 172.16.128.15 > > > > > WAN* -> xl0 -> x.x.x.89 > > > > > > > > > > pfctl -sr | grep USER > > > > > > > > > > pass in quick on xl0 inet proto tcp from any to x.x.x.68 keep state > > > > > label "USER_RULE" > > > > > > > > > > pass in quick on xl0 inet proto udp from any to x.x.x.68 keep state > > > > > label "USER_RULE" > > > > > > > > > > pass in quick on xl0 proto tcp from any to any port = ssh keep state > > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > > > pass in quick on xl0 proto tcp from any to any port = ntp keep state > > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > > > pass in quick on xl0 proto tcp from any to any port = domain keep > > > > > state > > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > > > pass in quick on xl0 proto tcp from any to any port = ftp keep state > > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > > > pass in quick on xl0 proto tcp from any to any port = https keep state > > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > > > pass in quick on xl0 proto tcp from any to any port = http keep state > > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > > > pass in quick on xl0 proto udp from any to any port = ssh keep state > > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > > > pass in quick on xl0 proto udp from any to any port = ntp keep state > > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > > > pass in quick on xl0 proto udp from any to any port = domain keep > > > > > state > > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > > > pass in quick on xl0 proto udp from any to any port = ftp keep state > > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > > > pass in quick on xl0 proto udp from any to any port = https keep state > > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > > > pass in quick on xl0 proto udp from any to any port = http keep state > > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > > > pass in quick on xl0 inet proto tcp from 139.142.2.2 port = domain to > > > > > any keep state label "USER_RULE" > > > > > > > > > > pass in quick on xl0 inet proto tcp from d.n.s.3 port = domain to any > > > > > keep state label "USER_RULE" > > > > > > > > > > pass in quick on xl0 inet proto udp from d.n.s.2 port = domain to any > > > > > keep state label "USER_RULE" > > > > > > > > > > pass in quick on xl0 inet proto udp from d.n.s.3 port = domain to any > > > > > keep state label "USER_RULE" > > > > > > > > > > pass in quick on xl0 inet proto tcp from any to 10.1.1.150 port >= > > > > > 49152 > > > > > flags S/SA keep state label "USER_RULE: FTP Passive ports" > > > > > > > > > > pass in quick on em0 inet proto tcp from 10.1.1.0/24 to 127.0.0.1 > > > > > flags > > > > > S/SA keep state label "USER_RULE" > > > > > > > > > > pass in quick on em0 all keep state label "USER_RULE" > > > > > > > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to 127.0.0.1 > > > > > flags S/SA ke
Re: [pfSense Support] passive ftp out of my DMZ is not working
Hmm. I'm still having the passive FTP issue. It's quite possibly something in my rules, does anything look borked? On Thu, 2006-03-02 at 12:02 -0500, Scott Ullrich wrote: > Yep, thats it. > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > Thanks Scott, > > > > Should I be grabbing > > > > http://pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-19-06/ > > > > for that? > > > > Sorry I'm not quite if this is the latest or if there's some other > > method to get it > > > > On Thu, 2006-03-02 at 10:44 -0500, Scott Ullrich wrote: > > > Fixed in latest testing snapshot. Please update. > > > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > > I'm trying to set up the following: > > > > > > > >/ <-> CARP > > > > WAN int (PFSENSE BOX)<-> LAN > > > >\<-> DMZ > > > > > > > > I want to have nat on the LAN, bi-nat on the DMZ, filtering incoming and > > > > outgoing traffic. I'm close, but I've had issues with trying to get this > > > > all working; I can't get outbound PASV ftp from the DMZ; I just want to > > > > be sure that > > > > pfsense is capable before I expend anymore energy on this. I can't find > > > > the traffic being blocked, nor do I see it connecting to the local > > > > proxy. > > > > > > > > Let me know what else I can supply you with, here are some details: > > > > > > > > The CARP interface is disabled till I get this working > > > > > > > > (for below - x.x.x = external address scheme) > > > > > > > > OPT1(DMZ)* -> em0 -> 10.1.1.1 > > > > LAN* -> bge0-> 172.16.128.15 > > > > WAN* -> xl0 -> x.x.x.89 > > > > > > > > pfctl -sr | grep USER > > > > > > > > pass in quick on xl0 inet proto tcp from any to x.x.x.68 keep state > > > > label "USER_RULE" > > > > > > > > pass in quick on xl0 inet proto udp from any to x.x.x.68 keep state > > > > label "USER_RULE" > > > > > > > > pass in quick on xl0 proto tcp from any to any port = ssh keep state > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > pass in quick on xl0 proto tcp from any to any port = ntp keep state > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > pass in quick on xl0 proto tcp from any to any port = domain keep state > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > pass in quick on xl0 proto tcp from any to any port = ftp keep state > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > pass in quick on xl0 proto tcp from any to any port = https keep state > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > pass in quick on xl0 proto tcp from any to any port = http keep state > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > pass in quick on xl0 proto udp from any to any port = ssh keep state > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > pass in quick on xl0 proto udp from any to any port = ntp keep state > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > pass in quick on xl0 proto udp from any to any port = domain keep state > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > pass in quick on xl0 proto udp from any to any port = ftp keep state > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > pass in quick on xl0 proto udp from any to any port = https keep state > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > pass in quick on xl0 proto udp from any to any port = http keep state > > > > label "USER_RULE: Allowed incomming ports" > > > > > > > > pass in quick on xl0 inet proto tcp from 139.142.2.2 port = domain to > > > > any keep state label "USER_RULE" > > > > > > > > pass in quick on xl0 inet proto tcp from d.n.s.3 port = domain to any > > > > keep state label "USER_RULE" > > > > > > > > pass in quick on xl0 inet proto udp from d.n.s.2 port = domain to any > > > > keep state label "USER_RULE" > > > > > > > > pass in quick on xl0 inet proto udp from d.n.s.3 port = domain to any > > > > keep state label "USER_RULE" > > > > > > > > pass in quick on xl0 inet proto tcp from any to 10.1.1.150 port >= 49152 > > > > flags S/SA keep state label "USER_RULE: FTP Passive ports" > > > > > > > > pass in quick on em0 inet proto tcp from 10.1.1.0/24 to 127.0.0.1 flags > > > > S/SA keep state label "USER_RULE" > > > > > > > > pass in quick on em0 all keep state label "USER_RULE" > > > > > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to 127.0.0.1 > > > > flags S/SA keep state label "USER_RULE" > > > > > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > > > http flags S/SA keep state label "USER_RULE" > > > > > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > > > https flags S/SA keep state label "USER_RULE" > > > > > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > > > ftp flags S/SA keep state label "USER_RULE
Re: [pfSense Support] passive ftp out of my DMZ is not working
Yep, thats it. On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > Thanks Scott, > > Should I be grabbing > > http://pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-19-06/ > > for that? > > Sorry I'm not quite if this is the latest or if there's some other > method to get it > > On Thu, 2006-03-02 at 10:44 -0500, Scott Ullrich wrote: > > Fixed in latest testing snapshot. Please update. > > > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > > I'm trying to set up the following: > > > > > >/ <-> CARP > > > WAN int (PFSENSE BOX)<-> LAN > > >\<-> DMZ > > > > > > I want to have nat on the LAN, bi-nat on the DMZ, filtering incoming and > > > outgoing traffic. I'm close, but I've had issues with trying to get this > > > all working; I can't get outbound PASV ftp from the DMZ; I just want to > > > be sure that > > > pfsense is capable before I expend anymore energy on this. I can't find > > > the traffic being blocked, nor do I see it connecting to the local proxy. > > > > > > Let me know what else I can supply you with, here are some details: > > > > > > The CARP interface is disabled till I get this working > > > > > > (for below - x.x.x = external address scheme) > > > > > > OPT1(DMZ)* -> em0 -> 10.1.1.1 > > > LAN* -> bge0-> 172.16.128.15 > > > WAN* -> xl0 -> x.x.x.89 > > > > > > pfctl -sr | grep USER > > > > > > pass in quick on xl0 inet proto tcp from any to x.x.x.68 keep state > > > label "USER_RULE" > > > > > > pass in quick on xl0 inet proto udp from any to x.x.x.68 keep state > > > label "USER_RULE" > > > > > > pass in quick on xl0 proto tcp from any to any port = ssh keep state > > > label "USER_RULE: Allowed incomming ports" > > > > > > pass in quick on xl0 proto tcp from any to any port = ntp keep state > > > label "USER_RULE: Allowed incomming ports" > > > > > > pass in quick on xl0 proto tcp from any to any port = domain keep state > > > label "USER_RULE: Allowed incomming ports" > > > > > > pass in quick on xl0 proto tcp from any to any port = ftp keep state > > > label "USER_RULE: Allowed incomming ports" > > > > > > pass in quick on xl0 proto tcp from any to any port = https keep state > > > label "USER_RULE: Allowed incomming ports" > > > > > > pass in quick on xl0 proto tcp from any to any port = http keep state > > > label "USER_RULE: Allowed incomming ports" > > > > > > pass in quick on xl0 proto udp from any to any port = ssh keep state > > > label "USER_RULE: Allowed incomming ports" > > > > > > pass in quick on xl0 proto udp from any to any port = ntp keep state > > > label "USER_RULE: Allowed incomming ports" > > > > > > pass in quick on xl0 proto udp from any to any port = domain keep state > > > label "USER_RULE: Allowed incomming ports" > > > > > > pass in quick on xl0 proto udp from any to any port = ftp keep state > > > label "USER_RULE: Allowed incomming ports" > > > > > > pass in quick on xl0 proto udp from any to any port = https keep state > > > label "USER_RULE: Allowed incomming ports" > > > > > > pass in quick on xl0 proto udp from any to any port = http keep state > > > label "USER_RULE: Allowed incomming ports" > > > > > > pass in quick on xl0 inet proto tcp from 139.142.2.2 port = domain to > > > any keep state label "USER_RULE" > > > > > > pass in quick on xl0 inet proto tcp from d.n.s.3 port = domain to any > > > keep state label "USER_RULE" > > > > > > pass in quick on xl0 inet proto udp from d.n.s.2 port = domain to any > > > keep state label "USER_RULE" > > > > > > pass in quick on xl0 inet proto udp from d.n.s.3 port = domain to any > > > keep state label "USER_RULE" > > > > > > pass in quick on xl0 inet proto tcp from any to 10.1.1.150 port >= 49152 > > > flags S/SA keep state label "USER_RULE: FTP Passive ports" > > > > > > pass in quick on em0 inet proto tcp from 10.1.1.0/24 to 127.0.0.1 flags > > > S/SA keep state label "USER_RULE" > > > > > > pass in quick on em0 all keep state label "USER_RULE" > > > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to 127.0.0.1 > > > flags S/SA keep state label "USER_RULE" > > > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > > http flags S/SA keep state label "USER_RULE" > > > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > > https flags S/SA keep state label "USER_RULE" > > > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > > ftp flags S/SA keep state label "USER_RULE" > > > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > > ssh flags S/SA keep state label "USER_RULE" > > > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > > domain flags S/SA keep state label "USER_RULE" > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > >
Re: [pfSense Support] passive ftp out of my DMZ is not working
Thanks Scott, Should I be grabbing http://pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-19-06/ for that? Sorry I'm not quite if this is the latest or if there's some other method to get it On Thu, 2006-03-02 at 10:44 -0500, Scott Ullrich wrote: > Fixed in latest testing snapshot. Please update. > > On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > I'm trying to set up the following: > > > >/ <-> CARP > > WAN int (PFSENSE BOX)<-> LAN > >\<-> DMZ > > > > I want to have nat on the LAN, bi-nat on the DMZ, filtering incoming and > > outgoing traffic. I'm close, but I've had issues with trying to get this > > all working; I can't get outbound PASV ftp from the DMZ; I just want to be > > sure that > > pfsense is capable before I expend anymore energy on this. I can't find > > the traffic being blocked, nor do I see it connecting to the local proxy. > > > > Let me know what else I can supply you with, here are some details: > > > > The CARP interface is disabled till I get this working > > > > (for below - x.x.x = external address scheme) > > > > OPT1(DMZ)* -> em0 -> 10.1.1.1 > > LAN* -> bge0-> 172.16.128.15 > > WAN* -> xl0 -> x.x.x.89 > > > > pfctl -sr | grep USER > > > > pass in quick on xl0 inet proto tcp from any to x.x.x.68 keep state > > label "USER_RULE" > > > > pass in quick on xl0 inet proto udp from any to x.x.x.68 keep state > > label "USER_RULE" > > > > pass in quick on xl0 proto tcp from any to any port = ssh keep state > > label "USER_RULE: Allowed incomming ports" > > > > pass in quick on xl0 proto tcp from any to any port = ntp keep state > > label "USER_RULE: Allowed incomming ports" > > > > pass in quick on xl0 proto tcp from any to any port = domain keep state > > label "USER_RULE: Allowed incomming ports" > > > > pass in quick on xl0 proto tcp from any to any port = ftp keep state > > label "USER_RULE: Allowed incomming ports" > > > > pass in quick on xl0 proto tcp from any to any port = https keep state > > label "USER_RULE: Allowed incomming ports" > > > > pass in quick on xl0 proto tcp from any to any port = http keep state > > label "USER_RULE: Allowed incomming ports" > > > > pass in quick on xl0 proto udp from any to any port = ssh keep state > > label "USER_RULE: Allowed incomming ports" > > > > pass in quick on xl0 proto udp from any to any port = ntp keep state > > label "USER_RULE: Allowed incomming ports" > > > > pass in quick on xl0 proto udp from any to any port = domain keep state > > label "USER_RULE: Allowed incomming ports" > > > > pass in quick on xl0 proto udp from any to any port = ftp keep state > > label "USER_RULE: Allowed incomming ports" > > > > pass in quick on xl0 proto udp from any to any port = https keep state > > label "USER_RULE: Allowed incomming ports" > > > > pass in quick on xl0 proto udp from any to any port = http keep state > > label "USER_RULE: Allowed incomming ports" > > > > pass in quick on xl0 inet proto tcp from 139.142.2.2 port = domain to > > any keep state label "USER_RULE" > > > > pass in quick on xl0 inet proto tcp from d.n.s.3 port = domain to any > > keep state label "USER_RULE" > > > > pass in quick on xl0 inet proto udp from d.n.s.2 port = domain to any > > keep state label "USER_RULE" > > > > pass in quick on xl0 inet proto udp from d.n.s.3 port = domain to any > > keep state label "USER_RULE" > > > > pass in quick on xl0 inet proto tcp from any to 10.1.1.150 port >= 49152 > > flags S/SA keep state label "USER_RULE: FTP Passive ports" > > > > pass in quick on em0 inet proto tcp from 10.1.1.0/24 to 127.0.0.1 flags > > S/SA keep state label "USER_RULE" > > > > pass in quick on em0 all keep state label "USER_RULE" > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to 127.0.0.1 > > flags S/SA keep state label "USER_RULE" > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > http flags S/SA keep state label "USER_RULE" > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > https flags S/SA keep state label "USER_RULE" > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > ftp flags S/SA keep state label "USER_RULE" > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > ssh flags S/SA keep state label "USER_RULE" > > > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > > domain flags S/SA keep state label "USER_RULE" > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To un
Re: [pfSense Support] passive ftp out of my DMZ is not working
Fixed in latest testing snapshot. Please update. On 3/2/06, Derrick MacPherson <[EMAIL PROTECTED]> wrote: > I'm trying to set up the following: > >/ <-> CARP > WAN int (PFSENSE BOX)<-> LAN >\<-> DMZ > > I want to have nat on the LAN, bi-nat on the DMZ, filtering incoming and > outgoing traffic. I'm close, but I've had issues with trying to get this > all working; I can't get outbound PASV ftp from the DMZ; I just want to be > sure that > pfsense is capable before I expend anymore energy on this. I can't find > the traffic being blocked, nor do I see it connecting to the local proxy. > > Let me know what else I can supply you with, here are some details: > > The CARP interface is disabled till I get this working > > (for below - x.x.x = external address scheme) > > OPT1(DMZ)* -> em0 -> 10.1.1.1 > LAN* -> bge0-> 172.16.128.15 > WAN* -> xl0 -> x.x.x.89 > > pfctl -sr | grep USER > > pass in quick on xl0 inet proto tcp from any to x.x.x.68 keep state > label "USER_RULE" > > pass in quick on xl0 inet proto udp from any to x.x.x.68 keep state > label "USER_RULE" > > pass in quick on xl0 proto tcp from any to any port = ssh keep state > label "USER_RULE: Allowed incomming ports" > > pass in quick on xl0 proto tcp from any to any port = ntp keep state > label "USER_RULE: Allowed incomming ports" > > pass in quick on xl0 proto tcp from any to any port = domain keep state > label "USER_RULE: Allowed incomming ports" > > pass in quick on xl0 proto tcp from any to any port = ftp keep state > label "USER_RULE: Allowed incomming ports" > > pass in quick on xl0 proto tcp from any to any port = https keep state > label "USER_RULE: Allowed incomming ports" > > pass in quick on xl0 proto tcp from any to any port = http keep state > label "USER_RULE: Allowed incomming ports" > > pass in quick on xl0 proto udp from any to any port = ssh keep state > label "USER_RULE: Allowed incomming ports" > > pass in quick on xl0 proto udp from any to any port = ntp keep state > label "USER_RULE: Allowed incomming ports" > > pass in quick on xl0 proto udp from any to any port = domain keep state > label "USER_RULE: Allowed incomming ports" > > pass in quick on xl0 proto udp from any to any port = ftp keep state > label "USER_RULE: Allowed incomming ports" > > pass in quick on xl0 proto udp from any to any port = https keep state > label "USER_RULE: Allowed incomming ports" > > pass in quick on xl0 proto udp from any to any port = http keep state > label "USER_RULE: Allowed incomming ports" > > pass in quick on xl0 inet proto tcp from 139.142.2.2 port = domain to > any keep state label "USER_RULE" > > pass in quick on xl0 inet proto tcp from d.n.s.3 port = domain to any > keep state label "USER_RULE" > > pass in quick on xl0 inet proto udp from d.n.s.2 port = domain to any > keep state label "USER_RULE" > > pass in quick on xl0 inet proto udp from d.n.s.3 port = domain to any > keep state label "USER_RULE" > > pass in quick on xl0 inet proto tcp from any to 10.1.1.150 port >= 49152 > flags S/SA keep state label "USER_RULE: FTP Passive ports" > > pass in quick on em0 inet proto tcp from 10.1.1.0/24 to 127.0.0.1 flags > S/SA keep state label "USER_RULE" > > pass in quick on em0 all keep state label "USER_RULE" > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to 127.0.0.1 > flags S/SA keep state label "USER_RULE" > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > http flags S/SA keep state label "USER_RULE" > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > https flags S/SA keep state label "USER_RULE" > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > ftp flags S/SA keep state label "USER_RULE" > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > ssh flags S/SA keep state label "USER_RULE" > > pass in quick on bge0 inet proto tcp from 172.16.128.0/20 to any port = > domain flags S/SA keep state label "USER_RULE" > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp (strike 2)
Jason, what you say is interesting, i mean, weigh up between open ports or use active connections...hum... i'll think about it! Thnx! jonahtan Jason J. Ellingson wrote: I had to use a passive port range (I chose 5000-5099) on the FTP server software and then open a firewall rule for those ports to that server. I don't like it, but at least it works for me for now. I see the FTP helper/proxy correctly changing the PORT commands, but the firewall states aren't allowing the connection through. Jason J Ellingson 615.301.1682 : nashville 612.605.1132 : minneapolis www.ellingson.com [EMAIL PROTECTED] -Original Message- From: jonathan gonzalez [mailto:[EMAIL PROTECTED] Sent: Monday, October 24, 2005 4:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] passive ftp (strike 2) Scott, i put a rule as you told me but this doesn't seems to work. The only way to enable ftp (active) is de-activating the ftp-helper. This is a snippet of the ftp window in my workstation: 220-Local time is now 23:05. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. [...] ftp> ls 200 PORT command successful 150 Connecting to port 3378 [...] ftp> passive Passive mode on. ftp> ls -l 227 Entering Passive Mode (192,168,1,11,237,181) ftp: connect: No route to host ftp> ftp> ftp> passive Passive mode off. ftp> ls -l 200 PORT command successful 150 Connecting to port 3380 [...] 226-Options: -l 226 4 matches total As you can see active connections works but passive don't. The negotiated port within the connection is 60853 ((256*237) + 181). My ftp server (pure-ftpd) is allowing passive ports from 49000 to 65000 (49000 that is the first port that pfSense understands as available for passive transfers as i saw in the internal code) so it shows the passive ftp is not yet working :( Any ideas? Hope this helps. Regards, jonathan Scott Ullrich wrote: Do you have a rule permitting traffic from the WAN interface to 127.0.0.1? If not, try this. On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote: Scott, 0.89.2 built on Sat Oct 22 22:16:29 UTC 2005 jonathan Scott Ullrich wrote: What version? On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote: Hi group, i keep on having trouble while access my ftp server on one of my lan's from internet. Active ftp works fine, but, even if we have discussed this in the past and a ticket in the cvs were opened to solve somehow this issue something seems to be present yet arround this theme. I tried, as i said, to ftp from internet to my ftp server but i'm unable. If i disable ftp-helper it works in active mode but passive ftp won't (of course there's not ftp-helper running). Also i think (i should test it more times) that the pftpx command do not update the ip address in the '-b' flag (the public ip) when the wan interface is dynamic, so in some cases the pftpx command is running in the pfSense box with an ip address for the '-b' flag that is not the configured in the WAN interface. I think you should take this into consideration for future releases. I look forward someone to help me telling me if someone else is having the same behaviour in their boxes. Thanks in advance. jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp (strike 2)
I had to use a passive port range (I chose 5000-5099) on the FTP server software and then open a firewall rule for those ports to that server. I don't like it, but at least it works for me for now. I see the FTP helper/proxy correctly changing the PORT commands, but the firewall states aren't allowing the connection through. Jason J Ellingson 615.301.1682 : nashville 612.605.1132 : minneapolis www.ellingson.com [EMAIL PROTECTED] -Original Message- From: jonathan gonzalez [mailto:[EMAIL PROTECTED] Sent: Monday, October 24, 2005 4:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] passive ftp (strike 2) Scott, i put a rule as you told me but this doesn't seems to work. The only way to enable ftp (active) is de-activating the ftp-helper. This is a snippet of the ftp window in my workstation: 220-Local time is now 23:05. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. [...] ftp> ls 200 PORT command successful 150 Connecting to port 3378 [...] ftp> passive Passive mode on. ftp> ls -l 227 Entering Passive Mode (192,168,1,11,237,181) ftp: connect: No route to host ftp> ftp> ftp> passive Passive mode off. ftp> ls -l 200 PORT command successful 150 Connecting to port 3380 [...] 226-Options: -l 226 4 matches total As you can see active connections works but passive don't. The negotiated port within the connection is 60853 ((256*237) + 181). My ftp server (pure-ftpd) is allowing passive ports from 49000 to 65000 (49000 that is the first port that pfSense understands as available for passive transfers as i saw in the internal code) so it shows the passive ftp is not yet working :( Any ideas? Hope this helps. Regards, jonathan Scott Ullrich wrote: > Do you have a rule permitting traffic from the WAN interface to > 127.0.0.1? If not, try this. > > On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote: > >>Scott, >> >>0.89.2 >>built on Sat Oct 22 22:16:29 UTC 2005 >> >> >>jonathan >> >> >> >>Scott Ullrich wrote: >> >>>What version? >>> >>>On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote: >>> >>> >>>>Hi group, >>>> >>>>i keep on having trouble while access my ftp server on one of my lan's >>> >>>>from internet. >>> >>>>Active ftp works fine, but, even if we have discussed this in the past >>>>and a ticket in the cvs were opened to solve somehow this issue >>>>something seems to be present yet arround this theme. >>>> >>>>I tried, as i said, to ftp from internet to my ftp server but i'm >>>>unable. If i disable ftp-helper it works in active mode but passive ftp >>>>won't (of course there's not ftp-helper running). >>>> >>>>Also i think (i should test it more times) that the pftpx command do not >>>>update the ip address in the '-b' flag (the public ip) when the wan >>>>interface is dynamic, so in some cases the pftpx command is running in >>>>the pfSense box with an ip address for the '-b' flag that is not the >>>>configured in the WAN interface. >>>> >>>>I think you should take this into consideration for future releases. >>>> >>>>I look forward someone to help me telling me if someone else is having >>>>the same behaviour in their boxes. >>>> >>>>Thanks in advance. >>>> >>>>jonathan >>>> >>>> >>>> >>>> >>>> >>>> >>>>- >>>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>For additional commands, e-mail: [EMAIL PROTECTED] >>>> >>>> >>> >>> >>>- >>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> >>- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp (strike 2)
Scott, i put a rule as you told me but this doesn't seems to work. The only way to enable ftp (active) is de-activating the ftp-helper. This is a snippet of the ftp window in my workstation: 220-Local time is now 23:05. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. [...] ftp> ls 200 PORT command successful 150 Connecting to port 3378 [...] ftp> passive Passive mode on. ftp> ls -l 227 Entering Passive Mode (192,168,1,11,237,181) ftp: connect: No route to host ftp> ftp> ftp> passive Passive mode off. ftp> ls -l 200 PORT command successful 150 Connecting to port 3380 [...] 226-Options: -l 226 4 matches total As you can see active connections works but passive don't. The negotiated port within the connection is 60853 ((256*237) + 181). My ftp server (pure-ftpd) is allowing passive ports from 49000 to 65000 (49000 that is the first port that pfSense understands as available for passive transfers as i saw in the internal code) so it shows the passive ftp is not yet working :( Any ideas? Hope this helps. Regards, jonathan Scott Ullrich wrote: Do you have a rule permitting traffic from the WAN interface to 127.0.0.1? If not, try this. On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote: Scott, 0.89.2 built on Sat Oct 22 22:16:29 UTC 2005 jonathan Scott Ullrich wrote: What version? On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote: Hi group, i keep on having trouble while access my ftp server on one of my lan's from internet. Active ftp works fine, but, even if we have discussed this in the past and a ticket in the cvs were opened to solve somehow this issue something seems to be present yet arround this theme. I tried, as i said, to ftp from internet to my ftp server but i'm unable. If i disable ftp-helper it works in active mode but passive ftp won't (of course there's not ftp-helper running). Also i think (i should test it more times) that the pftpx command do not update the ip address in the '-b' flag (the public ip) when the wan interface is dynamic, so in some cases the pftpx command is running in the pfSense box with an ip address for the '-b' flag that is not the configured in the WAN interface. I think you should take this into consideration for future releases. I look forward someone to help me telling me if someone else is having the same behaviour in their boxes. Thanks in advance. jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp (strike 2)
Do you have a rule permitting traffic from the WAN interface to 127.0.0.1? If not, try this. On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote: > Scott, > > 0.89.2 > built on Sat Oct 22 22:16:29 UTC 2005 > > > jonathan > > > > Scott Ullrich wrote: > > What version? > > > > On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote: > > > >>Hi group, > >> > >>i keep on having trouble while access my ftp server on one of my lan's > >>from internet. > >> > >>Active ftp works fine, but, even if we have discussed this in the past > >>and a ticket in the cvs were opened to solve somehow this issue > >>something seems to be present yet arround this theme. > >> > >>I tried, as i said, to ftp from internet to my ftp server but i'm > >>unable. If i disable ftp-helper it works in active mode but passive ftp > >>won't (of course there's not ftp-helper running). > >> > >>Also i think (i should test it more times) that the pftpx command do not > >>update the ip address in the '-b' flag (the public ip) when the wan > >>interface is dynamic, so in some cases the pftpx command is running in > >>the pfSense box with an ip address for the '-b' flag that is not the > >>configured in the WAN interface. > >> > >>I think you should take this into consideration for future releases. > >> > >>I look forward someone to help me telling me if someone else is having > >>the same behaviour in their boxes. > >> > >>Thanks in advance. > >> > >>jonathan > >> > >> > >> > >> > >> > >> > >>- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp (strike 2)
Scott, 0.89.2 built on Sat Oct 22 22:16:29 UTC 2005 jonathan Scott Ullrich wrote: What version? On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote: Hi group, i keep on having trouble while access my ftp server on one of my lan's from internet. Active ftp works fine, but, even if we have discussed this in the past and a ticket in the cvs were opened to solve somehow this issue something seems to be present yet arround this theme. I tried, as i said, to ftp from internet to my ftp server but i'm unable. If i disable ftp-helper it works in active mode but passive ftp won't (of course there's not ftp-helper running). Also i think (i should test it more times) that the pftpx command do not update the ip address in the '-b' flag (the public ip) when the wan interface is dynamic, so in some cases the pftpx command is running in the pfSense box with an ip address for the '-b' flag that is not the configured in the WAN interface. I think you should take this into consideration for future releases. I look forward someone to help me telling me if someone else is having the same behaviour in their boxes. Thanks in advance. jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp (strike 2)
What version? On 10/24/05, jonathan gonzalez <[EMAIL PROTECTED]> wrote: > Hi group, > > i keep on having trouble while access my ftp server on one of my lan's > from internet. > > Active ftp works fine, but, even if we have discussed this in the past > and a ticket in the cvs were opened to solve somehow this issue > something seems to be present yet arround this theme. > > I tried, as i said, to ftp from internet to my ftp server but i'm > unable. If i disable ftp-helper it works in active mode but passive ftp > won't (of course there's not ftp-helper running). > > Also i think (i should test it more times) that the pftpx command do not > update the ip address in the '-b' flag (the public ip) when the wan > interface is dynamic, so in some cases the pftpx command is running in > the pfSense box with an ip address for the '-b' flag that is not the > configured in the WAN interface. > > I think you should take this into consideration for future releases. > > I look forward someone to help me telling me if someone else is having > the same behaviour in their boxes. > > Thanks in advance. > > jonathan > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp
At 05:04 PM 10/10/2005, you wrote: File a ticket on cvstrac and I will change the behavior to start the ftp helper using: /usr/local/sbin/pftpx -b $inet-address -c 21 -f 10.0.0.2 -g 21 Roger. Thx! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp
File a ticket on cvstrac and I will change the behavior to start the ftp helper using: /usr/local/sbin/pftpx -b $inet-address -c 21 -f 10.0.0.2 -g 21 Scott On 10/10/05, Dan Swartzendruber <[EMAIL PROTECTED]> wrote: > At 04:38 PM 10/10/2005, you wrote: > >Well I'm not sure to tell you the truth. I wonder if binding it to the > >inet facing ip would fix it. The only this is this would remove the need > >for nat as you would have the proxy handle all the hand offs. :/ > > > >Try this. Kill pftpx (only the one with the -c 21 -f 10.0.0.2 args) > >Then run this. (replace $inet-address with your inet facing address) > >/usr/local/sbin/pftpx -b $inet-address -c 21 -f 10.0.0.2 -g 21 > > this worked. i also had to delete the nat tunnel for ftp. i'm not > sure how to make sure this sticks. e.g. before i had a nat tunnel to > the ftp server, and that seems to have created the pftpx process > automagically, but it seems to need the '-b WAN' also. scott? > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
At 04:38 PM 10/10/2005, you wrote: Well I'm not sure to tell you the truth. I wonder if binding it to the inet facing ip would fix it. The only this is this would remove the need for nat as you would have the proxy handle all the hand offs. :/ Try this. Kill pftpx (only the one with the -c 21 -f 10.0.0.2 args) Then run this. (replace $inet-address with your inet facing address) /usr/local/sbin/pftpx -b $inet-address -c 21 -f 10.0.0.2 -g 21 this worked. i also had to delete the nat tunnel for ftp. i'm not sure how to make sure this sticks. e.g. before i had a nat tunnel to the ftp server, and that seems to have created the pftpx process automagically, but it seems to need the '-b WAN' also. scott? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
Well I'm not sure to tell you the truth. I wonder if binding it to the inet facing ip would fix it. The only this is this would remove the need for nat as you would have the proxy handle all the hand offs. :/ Try this. Kill pftpx (only the one with the -c 21 -f 10.0.0.2 args) Then run this. (replace $inet-address with your inet facing address) /usr/local/sbin/pftpx -b $inet-address -c 21 -f 10.0.0.2 -g 21 If there are any nat rules you created delete them but make sure the firewall holes are open. -Original Message- From: Dan Swartzendruber [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 3:29 PM To: support@pfsense.com Subject: RE: [pfSense Support] passive ftp At 12:44 PM 10/10/2005, you wrote: >This is what the man page says for the -f switch. > > -f address > Fixed server address. The proxy will always connect to the >same > server, regardless of where the client wanted to connect to > (before it was redirected). Use this option to proxy for a > server behind NAT, or to forward all connections to another > proxy. so, what went wrong, then? it is surely redirecting the tcp session, but the IP addresses in the FTP commands are not being NAT'ed? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
At 12:44 PM 10/10/2005, you wrote: This is what the man page says for the -f switch. -f address Fixed server address. The proxy will always connect to the same server, regardless of where the client wanted to connect to (before it was redirected). Use this option to proxy for a server behind NAT, or to forward all connections to another proxy. so, what went wrong, then? it is surely redirecting the tcp session, but the IP addresses in the FTP commands are not being NAT'ed? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
At 12:44 PM 10/10/2005, you wrote: This is what the man page says for the -f switch. -f address Fixed server address. The proxy will always connect to the same server, regardless of where the client wanted to connect to (before it was redirected). Use this option to proxy for a server behind NAT, or to forward all connections to another proxy. So what is 10.0.0.2? Is that a nat ip on the firewall or the ftp server you're handing off to? 10.0.0.2 is my freebsd 5.4 server, running pure-ftpd. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
This is what the man page says for the -f switch. -f address Fixed server address. The proxy will always connect to the same server, regardless of where the client wanted to connect to (before it was redirected). Use this option to proxy for a server behind NAT, or to forward all connections to another proxy. So what is 10.0.0.2? Is that a nat ip on the firewall or the ftp server you're handing off to? -Original Message- From: Dan Swartzendruber [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 11:17 AM To: support@pfsense.com Subject: RE: [pfSense Support] passive ftp At 11:46 AM 10/10/2005, you wrote: >Oh sorry I didn't read this very well. I'm guessing the problem has to >do with the ftp proxy (pftpx) saying the data channel is on 10.0.0.2. > >227 Entering Passive Mode (10,0,0,2,191,87) <- 10,0,0,2 ah, yeah, i didn't notice that either. not enough coffee, i guess :( so it's not being nat'ed correctly? (or at all)? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp
Hi, Yes, my comment was internal connections to external servers. Dave. - Original Message - From: "Jonathan Gonzalez" <[EMAIL PROTECTED]> To: Sent: Monday, October 10, 2005 10:59 AM Subject: Re: [pfSense Support] passive ftp Hi Dave [hi all], when i said passive ftp i was thinking in allow passive ftp to work from external clients to my server, which is hosted behind pfsense. I understand that your comment only applies to internal to external connections, isn't it? TIA, Rgds, jonathan On 10/10/05, Dave <[EMAIL PROTECTED]> wrote: Hi, I've got passive ftp going, here's the relevant rules. I'm trying to get active working and that is not. Thanks. Dave. rules ext_if = "rl0" int_if = "xl0" int_net="$int_if:network" tcp_state="flags S/SA modulate state" # translate lan client addresses to that of the external interface nat on $ext_if from $int_if:network to any -> ($ext_if) # Redirect lan client FTP requests (to an FTP server's control port 21) # to the ftp-proxy running on the firewall host (via inetd on port 8021) rdr on $int_if inet proto tcp from $int_net to any port 21 -> 127.0.0.1 port 8021 # block by default block log all # pass all loopback traffic pass quick on lo0 all # Allow remote FTP servers (on data port 20) to respond to the proxy's # active FTP requests by contacting it on the port range specified in inetd.conf pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port 55000 >< 57000 user proxy $tcp_state # Allow ftp-proxy packets destined to port 20 to exit $ext_if # in order to maintain communications with the ftp server pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 $tcp_state # Allow firewall to contact ftp server on behalf of passive ftp client pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to any user proxy $tcp_state # allow ftp connections from lan to proxy pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021 $tcp_state pass in quick on $int_if inet proto tcp from $int_net to $ext_if port 55000:57000 $tcp_state - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
At 11:46 AM 10/10/2005, you wrote: Oh sorry I didn't read this very well. I'm guessing the problem has to do with the ftp proxy (pftpx) saying the data channel is on 10.0.0.2. 227 Entering Passive Mode (10,0,0,2,191,87) <- 10,0,0,2 ah, yeah, i didn't notice that either. not enough coffee, i guess :( so it's not being nat'ed correctly? (or at all)? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
At 11:41 AM 10/10/2005, you wrote: No route to host seems a little odd. Where did you start the ftp from and where was it going to (lan -> dmz)? i ssh'ed to a linux server outside (wan). this was from wan => lan (via a tunnel). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
Oh sorry I didn't read this very well. I'm guessing the problem has to do with the ftp proxy (pftpx) saying the data channel is on 10.0.0.2. 227 Entering Passive Mode (10,0,0,2,191,87) <- 10,0,0,2 -Original Message- From: Dan Swartzendruber [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 10:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] passive ftp At 11:13 AM 10/10/2005, you wrote: >As of 0.86.4 there should be a automatic ftp helper that is launched >for internet -> lan ftp redirections. Make sure you're on the latest >version. Hmmm, I'm on 0.86.4 now, and it doesn't work for me. I went to an external linux server and ftp'ed back in to my pure-ftp server (on my freebsd 5.4 server) and see this: ftp> passive Passive mode on. ftp> dir 227 Entering Passive Mode (10,0,0,2,191,87) ftp: connect: No route to host Here are the pftpx processes: # ps ax | grep ftp 565 ?? Ss 0:00.27 /usr/local/sbin/pftpx -g 8021 216.129.135.2 699 ?? Ss 0:00.23 /usr/local/sbin/pftpx -c 21 -f 10.0.0.2 -g 21 Is there anything else you need to see? Rules? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
No route to host seems a little odd. Where did you start the ftp from and where was it going to (lan -> dmz)? -Original Message- From: Dan Swartzendruber [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 10:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] passive ftp At 11:13 AM 10/10/2005, you wrote: >As of 0.86.4 there should be a automatic ftp helper that is launched >for internet -> lan ftp redirections. Make sure you're on the latest >version. Hmmm, I'm on 0.86.4 now, and it doesn't work for me. I went to an external linux server and ftp'ed back in to my pure-ftp server (on my freebsd 5.4 server) and see this: ftp> passive Passive mode on. ftp> dir 227 Entering Passive Mode (10,0,0,2,191,87) ftp: connect: No route to host Here are the pftpx processes: # ps ax | grep ftp 565 ?? Ss 0:00.27 /usr/local/sbin/pftpx -g 8021 216.129.135.2 699 ?? Ss 0:00.23 /usr/local/sbin/pftpx -c 21 -f 10.0.0.2 -g 21 Is there anything else you need to see? Rules? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp
At 11:13 AM 10/10/2005, you wrote: As of 0.86.4 there should be a automatic ftp helper that is launched for internet -> lan ftp redirections. Make sure you're on the latest version. Hmmm, I'm on 0.86.4 now, and it doesn't work for me. I went to an external linux server and ftp'ed back in to my pure-ftp server (on my freebsd 5.4 server) and see this: ftp> passive Passive mode on. ftp> dir 227 Entering Passive Mode (10,0,0,2,191,87) ftp: connect: No route to host Here are the pftpx processes: # ps ax | grep ftp 565 ?? Ss 0:00.27 /usr/local/sbin/pftpx -g 8021 216.129.135.2 699 ?? Ss 0:00.23 /usr/local/sbin/pftpx -c 21 -f 10.0.0.2 -g 21 Is there anything else you need to see? Rules? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
