Netgate m1n1wall

Author Topic: DMZ and FTP Out  (Read 5385 times)

0 Members and 1 Guest are viewing this topic.

Offline josh

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
DMZ and FTP Out
« on: November 16, 2005, 02:46:07 pm »
Hey Guys,

I'm trying to get ftp out working for my DMZ (OPT1). I do have pftpx turned on, and it works great for the LAN, but as for the DMZ, I can't get it running correctly. If I debug on pftpx (pftpx -d D7), any connections from the LAN go through fine, but anything from OPT1 never even gets an initial connection.

My guess is something to do with the firewall rules for the pftpx/ftp proxy or a NAT/firewall rule I'm missing. Any ideas on howto get this working?

Thanks,
-Josh

Offline Jesse7

  • Jr. Member
  • **
  • Posts: 98
  • Karma: +0/-0
    • View Profile
Re: DMZ and FTP Out
« Reply #1 on: November 16, 2005, 06:37:01 pm »
I am probably wrong,  but might have something to do with the ftp helper option.  I red it in another post on here.

Offline billm

  • Administrator
  • Hero Member
  • *****
  • Posts: 731
  • Karma: +1/-0
    • View Profile
    • UCSecurity - Technology discovery and ramblings
Re: DMZ and FTP Out
« Reply #2 on: November 19, 2005, 12:00:26 pm »
Hey Guys,

I'm trying to get ftp out working for my DMZ (OPT1). I do have pftpx turned on, and it works great for the LAN, but as for the DMZ, I can't get it running correctly. If I debug on pftpx (pftpx -d D7), any connections from the LAN go through fine, but anything from OPT1 never even gets an initial connection.

My guess is something to do with the firewall rules for the pftpx/ftp proxy or a NAT/firewall rule I'm missing. Any ideas on howto get this working?

Thanks,
-Josh

0.94 was just released, please try that, there are numerous fixes in it.  Thanks

--Bill
pfSense core developer
blog - http://www.ucsecurity.com/
twitter - billmarquette

Offline simonchs

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: DMZ and FTP Out
« Reply #3 on: November 30, 2005, 11:06:46 am »
Seems this problem still exist in 0.94.10... I can't FTP out even if I disable the ftp-helper for the DMZ (OPT1)...
And I've got the following stats:
self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT

137.189.91.191 is a anonymous FTP that I connect to, xx.xx.30.100 is my server IP under bridged DMZ


Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +3/-0
    • View Profile
    • pfSense
Re: DMZ and FTP Out
« Reply #4 on: November 30, 2005, 11:13:42 am »
Seems this problem still exist in 0.94.10... I can't FTP out even if I disable the ftp-helper for the DMZ (OPT1)...
And I've got the following stats:
self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT

137.189.91.191 is a anonymous FTP that I connect to, xx.xx.30.100 is my server IP under bridged DMZ

Fixed in 0.95+

Offline simonchs

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: DMZ and FTP Out
« Reply #5 on: November 30, 2005, 11:38:39 am »
Seems this problem still exist in 0.94.10... I can't FTP out even if I disable the ftp-helper for the DMZ (OPT1)...
And I've got the following stats:
self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT

137.189.91.191 is a anonymous FTP that I connect to, xx.xx.30.100 is my server IP under bridged DMZ

Fixed in 0.95+

I've just tried to disable the ftp-helper for LAN and WAN interface too, but still cannot get this work... is there any other setting I need to do?
Thanks.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +3/-0
    • View Profile
    • pfSense
Re: DMZ and FTP Out
« Reply #6 on: November 30, 2005, 04:06:14 pm »
Seems this problem still exist in 0.94.10... I can't FTP out even if I disable the ftp-helper for the DMZ (OPT1)...
And I've got the following stats:
self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENT

137.189.91.191 is a anonymous FTP that I connect to, xx.xx.30.100 is my server IP under bridged DMZ

Fixed in 0.95+

Do you still entries like: self tcp 127.0.0.1:8022 ??

I've just tried to disable the ftp-helper for LAN and WAN interface too, but still cannot get this work... is there any other setting I need to do?
Thanks.


Offline simonchs

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: DMZ and FTP Out
« Reply #7 on: December 01, 2005, 11:37:59 am »
yup, I still got the
Code: [Select]
self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENTin "Diagnostics: Show States" when I FTP out in DMZ server.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +3/-0
    • View Profile
    • pfSense
Re: DMZ and FTP Out
« Reply #8 on: December 01, 2005, 05:46:10 pm »
yup, I still got the
Code: [Select]
self tcp 127.0.0.1:8022 <- 137.189.91.191:21 <- xx.xx.30.100:40899    CLOSED:SYN_SENTin "Diagnostics: Show States" when I FTP out in DMZ server.


Then the FTP helper isn't being deactivated.  Did you reboot after making the change?

Offline simonchs

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: DMZ and FTP Out
« Reply #9 on: December 03, 2005, 02:26:40 pm »
Then the FTP helper isn't being deactivated.  Did you reboot after making the change?

yes, had to reboot both pfsense and the server after made the change.

Offline simonchs

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: DMZ and FTP Out
« Reply #10 on: December 28, 2005, 09:53:38 pm »
upgraded to BETA-1, and this problem still existing.


Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: DMZ and FTP Out
« Reply #11 on: December 29, 2005, 04:37:41 am »
As you upgraded, can you try again with a fresh install and a from scratch recreated config without importing?

Offline simonchs

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: DMZ and FTP Out
« Reply #12 on: January 15, 2006, 07:37:31 pm »
problem fixed after upgrade to 1.0-PREBETA2-BUG-VALIDATION-EDITION3
thank you!  ;D

Offline simonchs

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: DMZ and FTP Out
« Reply #13 on: January 15, 2006, 08:43:10 pm »
oh no...
the problem haven't come out because the new option "Enable Filtering Bridge" was not checked, if I checked this option, the problem come back...

tcp 127.0.0.1:8022 <- ftp.server.ip:21 <- ip.under.opt1:56357 CLOSED:SYN_SENT
tcp 127.0.0.1:8022 <- ftp.server.ip:21 <- ip.under.opt1:56360 CLOSED:SYN_SENT


Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +3/-0
    • View Profile
    • pfSense
Re: DMZ and FTP Out
« Reply #14 on: January 15, 2006, 10:18:12 pm »
Add the rules to allow ftp to talk to localhost.