Hmm, hi martin, i has made such a config, and i have for me realized, that i have 2 options a) ftp-Server w/ ftp-proxy on WAN, IIRC this needs special setup in XML-Config also result is : i can't use the ftp-proxy on lan interface I be not 100% sure but i believe i remember me that the activation of ftp-proxy on WAN is not possible from Browser-User-Interface,
b) open ftp-highrange-ports from wan to ftp-server and you can use ftp-proxy for users from lan.....if you like to do so.... i have used option b) because it is no security risk if no other services listen on such a port on the ftp-server-system, the port on the ftp-servers system is only opened if a ftp-user made a transfer....this behavior underlays the ftp-protocols features of PASV switching. Other words active ftp-transfer or passive. this is handled by the ftp-protocol between server and each individual client. with option b) you are on the secure side that every User ( if it has experiences or not) can make transfers from and to the ftp-server, regardless of transfer-mode. Works all the time. Special attention is only needed if another Service listen on the ports that you must open for ftp-server ( in almost cases not given). cheers michael 2009/1/20 Fuchs, Martin <martin.fu...@trendchiller.com>: > No problem ;-) > > Thats the answer i expected... > > So there is really no way to accomplish this with some kind of FTP-helper > used in pfSense to open up just a few ports... ? > I really need the whole portrange for FTP to be opened as defined in the > FTP-server ? > > Thanks so far for your help ;-) > > Regards, > > martin > > -----Ursprüngliche Nachricht----- > Von: Michael Schuh [mailto:michael.sc...@gmail.com] > Gesendet: Dienstag, 20. Januar 2009 00:27 > An: support@pfsense.com > Betreff: Re: [pfSense Support] FTP Server in Routed DMZ > > Hi, > > in my possible solution NO, because you use the ftp-server w/o > Proxy. Communication goes directly to your ftp-server. > Please checkout also the portranges from your ftp-server > if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ > from the ports that i have described. (sorry i have forgotten to say, > that my tips are related to this ftpd). > > The proxy is needed for the users in your holy internal LAN. > > 2009/1/20 Fuchs, Martin <martin.fu...@trendchiller.com>: >> Should the FTP-helper service be activated or deactivated on the >> WAN-Interface ? >> >> -----Ursprüngliche Nachricht----- >> Von: Michael Schuh [mailto:michael.sc...@gmail.com] >> Gesendet: Dienstag, 20. Januar 2009 00:14 >> An: support@pfsense.com >> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ >> >> Hi, >> >> solution: >> Open the Ports described in man 4 ip IP_PORTRANGE_HIGH >> referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange >> like: >> net.inet.ip.portrange.hilast: 65535 >> net.inet.ip.portrange.hifirst: 49152 >> net.inet.ip.portrange.last: 65535 >> net.inet.ip.portrange.first: 49152 >> >> from WAN to your FTP server and all gets fine. >> >> regards >> >> michael. >> >> >> >> 2009/1/20 Fuchs, Martin <martin.fu...@trendchiller.com>: >>> Hi ! >>> >>> I have set up a FTP server in my DMZ with an official IP address. >>> From WAN -> DMZ the IPs are routed (no NAT). >>> I opened up port 21 from WAN -> DMZ for FTP but of course I cannot transfer >>> any files. >>> It seems to require some more ports, so I thought the FTP-helper on the >>> WAN-side could be helpful, but this also does not work... >>> >>> Does anyone have any idea how to set this up without opening this ton of >>> ports FTP requires ? >>> >>> I know FTP is not the preferred way, but we need this :-( >>> >>> I'd be thankful for every hint... >>> >>> Active FTP is not really an option because most FTP-clients live behind NAT >>> devices so there's the problem of the data-connection again... >>> >>> Regards, >>> >>> Martin >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >>> For additional commands, e-mail: support-h...@pfsense.com >>> >>> Commercial support available - https://portal.pfsense.org >>> >>> >> >> >> >> -- >> === m i c h a e l - s c h u h . n e t === >> Michael Schuh >> Postfach 10 21 52 >> 66021 Saarbrücken >> phone: 0681/8319664 >> mobil: 0177/9738644 >> @: m i c h a e l . s c h u h @ g m a i l . c o m >> >> === Ust-ID: DE251072318 === >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > > > -- > === m i c h a e l - s c h u h . n e t === > Michael Schuh > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > mobil: 0177/9738644 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > === Ust-ID: DE251072318 === > > --------------------------------------------------------------------- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
