Re: [pfSense] FTP trouble.

Thu, 11 Feb 2016 12:23:22 -0800 

There is also extended passive, which is much better than old standard passive 
as it is ipv6 friendly and less likely to get wrongly proxied.  So different 
clients from the same network to the same server may negotiate differently and 
present different results.

The next step would be to grab traffic and figure out where the data is trying 
to go.  Or use sftp, as that is a single stream secure solution.

        ED.


> On 2016, Feb 11, at 2:55 PM, Steve Yates <[email protected]> wrote:
> 
> J. Echter wrote on Thu, Feb 11 2016 at 1:25 pm:
> 
>> But, i cant use it as i get errors like 'no data', error 227 'entering
>> passive mode' and so on.
> 
>       So the FTP client is in your location and the FTP server is somewhere 
> on the Internet?  We've not had any issues with that under pfSense 2.x, and 
> specifically 2.2.x for Kevin.  I looked at the link he posted and I'm 
> guessing you are hitting this:
> 
> "Passive mode on the client will require access to random/high ports 
> outbound, which could run afoul of a strict outbound ruleset. Environments 
> with a security policy that requires strict outbound firewall rules likely 
> would not be using FTP anyhow, as it transmits credentials without 
> encryption."
> 
> In other words if you are allowing port 21 outbound but blocking outbound 
> ports over 1000, that would allow the initial connection and then fail on the 
> data connection(s).  The FTP server would tell the client what port to use 
> for the data connection but then the client is blocked by the firewall.  Try 
> (in Status: System logs: Settings) setting your firewall log to "Log packets 
> matched from the default block rules put in the ruleset" and see if that 
> shows the block in your firewall log.  And just to over clarify, it is the 
> FTP server that tells the client what port to use, so you can't control that 
> unless you control the FTP server.
> 
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> 
> 
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to