Netgate SG-1000 microFirewall

Author Topic: FTP Proxy / Nat dependency Bug  (Read 8694 times)

0 Members and 1 Guest are viewing this topic.

Offline timb0311

  • Jr. Member
  • **
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: FTP Proxy / Nat dependency Bug
« Reply #15 on: September 02, 2006, 04:51:02 pm »
To me deleting the FTP port forward makes sense.  The ftp proxy resides on the loopback address and it is responsible for passing ALL communication to and from the backend ftp server and handle IP translations.  With the port forward still in place it is trying to bypass the ftp proxy, and my guess IP addresses not getting translated for the passive client.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: FTP Proxy / Nat dependency Bug
« Reply #16 on: September 02, 2006, 04:53:15 pm »
That is not correct.  The FTP proxy listens on the public ip address and automatically adds port forwards to punch holes in the firewall.

It does not listen on loopback or have anything to do with loopback in this case.  Furthermore when pfSense detects that a item is being forwarded to port 21 and the helper is on, it does not install a pf rdr rule and starts pftpx to listen on the public address pointing back to the internal ip of the ftp server.

Really not sure why your setup doesn't work but I've tested this and Holger has tested and tested again and at this point if it doesn't work maybe you should look at using a different firewall as there is nothing else that I can do at this point.

Sorry.

Offline timb0311

  • Jr. Member
  • **
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: FTP Proxy / Nat dependency Bug
« Reply #17 on: September 05, 2006, 04:08:01 pm »
The fix quits working after 4-5 days anyway... proxy shuts down.


If the loopback has nothing to do with it then why the rules with the loopback address for the dmz (sis2) and lan (sis1) interfaces for ftp traffic:

$ pfctl -s rules | grep ftp
anchor "ftpsesame/*" all
pass in quick on sis2 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
anchor "ftpproxy" all
anchor "pftpx/*" all
pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis0 inet proto tcp from any port = ftp-data to (sis0) port > 49000 user = 62 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
pass in quick on sis0 inet proto tcp from any to 10.0.x.180 port = ftp keep state label "USER_RULE: NAT WAN --> FTP Server"
pass in quick on sis0 proto tcp from any to any port = ftp flags S/SA keep state label "USER_RULE: NAT WAN --> FTP Server"


Another thing that doesn't make sense with your explanation.  The firewall NAT setup to forward from wan to dmz host on port 21.  Then you have the ftp proxy listening on the wan and forwarding to the dmz host on port 21.  Seems like a conflict to me.


I would still like you to post or email a working xml config.  If you say you have a working config then you wiill not mind sharing.  And there must be something not the same in our configs.


Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: FTP Proxy / Nat dependency Bug
« Reply #18 on: September 05, 2006, 04:13:11 pm »
The fix quits working after 4-5 days anyway... proxy shuts down.

If the loopback has nothing to do with it then why the rules with the loopback address for the dmz (sis2) and lan (sis1) interfaces for ftp traffic:

$ pfctl -s rules | grep ftp
anchor "ftpsesame/*" all
pass in quick on sis2 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
anchor "ftpproxy" all
anchor "pftpx/*" all
pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on sis0 inet proto tcp from any port = ftp-data to (sis0) port > 49000 user = 62 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
pass in quick on sis0 inet proto tcp from any to 10.0.x.180 port = ftp keep state label "USER_RULE: NAT WAN --> FTP Server"
pass in quick on sis0 proto tcp from any to any port = ftp flags S/SA keep state label "USER_RULE: NAT WAN --> FTP Server"

These are *OUTGOING* FTP.  LAN -> WAN.  Nothing to do with WAN -> LAN.  The last 2 allow the traffic that has been rdr'd by the pftpx helper.

Another thing that doesn't make sense with your explanation.  The firewall NAT setup to forward from wan to dmz host on port 21.  Then you have the ftp proxy listening on the wan and forwarding to the dmz host on port 21.  Seems like a conflict to me.

Read the pftpx code before you make these accusations, please.

I would still like you to post or email a working xml config.  If you say you have a working config then you wiill not mind sharing.  And there must be something not the same in our configs.

I will set it up one more time and send config.xml but this is a complete waste of my time quite frankly, I've already spent 7+ hours on this issue for you.
« Last Edit: September 05, 2006, 04:54:05 pm by sullrich »

Offline hoba

  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +8/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: FTP Proxy / Nat dependency Bug
« Reply #19 on: September 05, 2006, 04:15:34 pm »
Not counting my time  ;)

And I described you my setup in detail starting from a vanilla install. There is no special mystique config that you need. Few simple steps I described and it works.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: FTP Proxy / Nat dependency Bug
« Reply #20 on: September 05, 2006, 04:49:24 pm »
Okay, here's the config.xml.   I initially forgot that interfaces -> wan disable ftp helper was not checked and panic'd but after that it sprung to life as it should have:

<?xml version="1.0"?>
<pfsense>
   <version>2.3</version>
   <lastchange/>
   <theme>metallic</theme>
   <system>
      <optimization>normal</optimization>
      <hostname>pfSense</hostname>
      <domain>local</domain>
      <dnsserver/>
      <dnsallowoverride/>
      <username>admin</username>
      <password>$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.</password>
      <timezone>Etc/UTC</timezone>
      <time-update-interval>300</time-update-interval>
      <timeservers>pool.ntp.org</timeservers>
      <webgui>
         <protocol>http</protocol>
         <certificate/>
         <private-key/>
      </webgui>
      <disablenatreflection>yes</disablenatreflection>
      <enablesshd>yes</enablesshd>
      <ssh>
         <port/>
      </ssh>
      <maximumstates/>
   </system>
   <interfaces>
      <lan>
         <if>le0</if>
         <ipaddr>192.168.1.1</ipaddr>
         <subnet>24</subnet>
         <media/>
         <mediaopt/>
         <bandwidth>100</bandwidth>
         <bandwidthtype>Mb</bandwidthtype>
      </lan>
      <wan>
         <if>le1</if>
         <mtu/>
         <media/>
         <mediaopt/>
         <bandwidth>100</bandwidth>
         <bandwidthtype>Mb</bandwidthtype>
         <spoofmac/>
         <ipaddr>dhcp</ipaddr>
         <dhcphostname/>
      </wan>
   </interfaces>
   <staticroutes/>
   <pppoe/>
   <pptp/>
   <bigpond/>
   <dyndns>
      <type>dyndns</type>
      <username/>
      <password/>
      <host/>
      <mx/>
   </dyndns>
   <dhcpd>
      <lan>
         <enable/>
         <range>
            <from>192.168.1.100</from>
            <to>192.168.1.199</to>
         </range>
      </lan>
   </dhcpd>
   <pptpd>
      <mode/>
      <redir/>
      <localip/>
      <remoteip/>
   </pptpd>
   <ovpn/>
   <dnsmasq>
      <enable/>
   </dnsmasq>
   <snmpd>
      <syslocation/>
      <syscontact/>
      <rocommunity>public</rocommunity>
   </snmpd>
   <diag>
      <ipv6nat/>
   </diag>
   <bridge/>
   <syslog/>
   <nat>
      <ipsecpassthru>
         <enable/>
      </ipsecpassthru>
      <rule>
         <protocol>tcp</protocol>
         <external-port>21</external-port>
         <target>192.168.1.69</target>
         <local-port>21</local-port>
         <interface>wan</interface>
         <descr>FTP</descr>
      </rule>
   </nat>
   <filter>
      <rule>
         <type>pass</type>
         <descr>Default LAN -&gt; any</descr>
         <interface>lan</interface>
         <source>
            <network>lan</network>
         </source>
         <destination>
            <any/>
         </destination>
      </rule>
      <rule>
         <interface>wan</interface>
         <protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         <destination>
            <address>192.168.1.69</address>
            <port>21</port>
         </destination>
         <descr>NAT FTP</descr>
      </rule>
      <rule>
         <interface>wan</interface>
         <protocol>tcp</protocol>
         <source>
            <any/>
         </source>
         <destination>
            <network>wanip</network>
            <port>21</port>
         </destination>
         <descr>NAT FTP</descr>
      </rule>
   </filter>
   <ipsec>
      <preferredoldsa/>
   </ipsec>
   <aliases/>
   <proxyarp/>
   <wol/>
   <installedpackages/>
   <revision>
      <description>/interfaces_wan.php made unknown change</description>
      <time>1157493006</time>
   </revision>
</pfsense>

Offline timb0311

  • Jr. Member
  • **
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: FTP Proxy / Nat dependency Bug
« Reply #21 on: September 05, 2006, 10:04:53 pm »
Ok good, here is the problem.  After comparing configs, which we should have done a long time ago.  Would have saved us both lots of testing hours.

<disablenatreflection>yes</disablenatreflection> which maps to System > Advanced > Disable NAT Reflection > checked. 

I had this unchecked, so I could access our websites running on the dmz from the lan using their public dns names.  With this unchecked this causes the problem with the ftp.  With it checked works fine. 

So my next question is how can I get these to work together so I can access the websites from the lan?




Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: FTP Proxy / Nat dependency Bug
« Reply #22 on: September 05, 2006, 10:10:02 pm »
Interesting.   I suppose we will want to ignore reflection entries for port 21.   I will check into it.

Offline timb0311

  • Jr. Member
  • **
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: FTP Proxy / Nat dependency Bug
« Reply #23 on: September 05, 2006, 10:13:27 pm »
Ok let me know what you find out.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: FTP Proxy / Nat dependency Bug
« Reply #24 on: September 05, 2006, 10:16:03 pm »
Please replace /etc/inc/filter.inc with http://www.pfsense.com/~sullrich/filter.inc using diagnostics -> edit file.

Then run /etc/rc.filter_configure from diagnostics -> command prompt

Hopefully the reflection entries for port 21 will be gone now.

Offline timb0311

  • Jr. Member
  • **
  • Posts: 38
  • Karma: +0/-0
    • View Profile
Re: FTP Proxy / Nat dependency Bug
« Reply #25 on: September 05, 2006, 10:34:44 pm »
That seemed to fix it.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: FTP Proxy / Nat dependency Bug
« Reply #26 on: September 05, 2006, 10:35:18 pm »
Yay!

I'll commit.  Thanks for testing.

Offline rsw686

  • Sr. Member
  • ****
  • Posts: 520
  • Karma: +0/-0
    • View Profile
    • The Reptile File
Re: FTP Proxy / Nat dependency Bug
« Reply #27 on: September 06, 2006, 08:00:21 am »
Thanks for fixing this!! I also had problems with FTP previously and had disable nat reflection unchecked. After replacing filter.inc ftp works. timb0311 good catch about the nat reflection.

When you say you committed it, I am assuming this will be included in the next release after RC2i.
« Last Edit: September 06, 2006, 08:56:35 am by rsw686 »

Offline hoba

  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +8/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: FTP Proxy / Nat dependency Bug
« Reply #28 on: September 07, 2006, 04:14:52 pm »
It already is included in the latest snapshots: http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-07-06/