OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Nacho on August 12, 2017, 01:25:16 pm

Title: FTP reverse proxy TLS?
Post by: Nacho on August 12, 2017, 01:25:16 pm

Hi,

I've setup a Filezilla FTP server on windows, setup TLS authentication and tested this on the local network, all is working fine.
then I configured the OPNSense (17.7) proxy-ftp module according to the tutorial here: https://forum.opnsense.org/index.php?topic=3868.0 (https://forum.opnsense.org/index.php?topic=3868.0) and tested from outside the local network; I can connect and I receive the welcome banner but then I get the following error:

Code: [Select]

Command: AUTH TLS
Response: 234 Using authentication type TLS
Status:      Initializing TLS...
Error:        GnuTLS error -110: The TLS connection was non-properly terminated.
Status:      Server did not properly shut down TLS connection
Error:        Could not connect to server

When I disable TLS on the server I can connect fine through the proxy but somehow the TLS authentication fails. Am I missing something in my configuration, or would this not be supported?

A bit more details logging from the client:

Code: [Select]

Trace:        CFtpLogonOpData::ParseResponse() in state 1
Trace:        CControlSocket::SendNextCommand()
Trace:        CFtpLogonOpData::Send() in state 2
Command: AUTH TLS
Trace:        CFtpControlSocket::OnReceive()
Response: 234 Using authentication type TLS
Trace:        CFtpLogonOpData::ParseResponse() in state 2
Status:      Initializing TLS...
Trace:        CTlsSocketImpl::Handshake()
Trace:        CTlsSocketImpl::ContinueHandshake()
Trace:        TLS handshake: About to send CLIENT HELLO
Trace:        TLS handshake: Sent CLIENT HELLO
Trace:        CTlsSocketImpl::OnSend()
Trace:        CTlsSocketImpl::OnRead()
Trace:        CTlsSocketImpl::ContinueHandshake()
Trace:        CTlsSocketImpl::Failure(-110)
Error:        GnuTLS error -110: The TLS connection was non-properly terminated.
Status:      Server did not properly shut down TLS connection
Trace:        CRealControlSocket::OnClose(53)
Trace:        CRealControlSocket::DoClose(66)
Trace:        CControlSocket::DoClose(66)
Trace:        CFtpControlSocket::ResetOperation(66)
Trace:        CControlSocket::ResetOperation(66)
Error:        Could not connect to server
Trace:        CFileZillaEnginePrivate::ResetOperation(66)


Title: Re: FTP reverse proxy TLS?
Post by: fabian on August 12, 2017, 03:04:02 pm

long story short: the plugin has no idea which port should be opened for the data connection and the connection is tried to establish against a closed port.

Title: Re: FTP reverse proxy TLS?
Post by: Nacho on August 12, 2017, 03:57:24 pm

Hi Fabian,

Thanks for your reply.
Is there any workaround to make this work? or will this never work through a NAT?

Title: Re: FTP reverse proxy TLS?
Post by: fabian on August 12, 2017, 05:50:12 pm

It will never work through NAT as long as the server does not terminate TLS so the port numbers can be read.

What you eventually can do is limiting the ftp server to a port range and forward this port range to the server.
for example forward 100 ports to the ftp server.

vsftpd has the settings pasv_max_port and pasv_min_port [1]. So you may use 10000 up to 10100. Note that this is bad security practice as it does not check if this connections belong to a ftp control connection which means that the server can open any port and everything is allowed.

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-ftp-vsftpd-conf.html

Title: Re: FTP reverse proxy TLS?
Post by: Nacho on August 12, 2017, 11:51:40 pm

That makes sense. I guess I'll have to find other options to provide secure access.

Thanks!

Title: Re: FTP reverse proxy TLS?
Post by: fabian on August 13, 2017, 09:10:37 am

SFTP / SCP (both use SSH) could be an option as well as something web based (like Nextcloud)

EDIT: If it has to be FTP, you can still also provide a web ftp server to access your FTP server via HTTPS.