Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
How to setup FTP port forward ?
« previous
next »
Print
Pages: [
1
]
Author
Topic: How to setup FTP port forward ? (Read 14135 times)
jjonsson
Newbie
Posts: 7
Karma: 0
How to setup FTP port forward ?
«
on:
March 01, 2017, 11:49:59 am »
I need to access a FTP server behind the opnsense firewall from the Internet (Reverse FTP proxy ?)
Googling gives me these:
https://forum.opnsense.org/index.php?topic=3956.0
https://forum.opnsense.org/index.php?topic=3868.0
But the don't look at all like my interface. I'm running OPNsense v17.1.2-amd64
Any help appreciated...
Logged
faunsen
Full Member
Posts: 102
Karma: 17
Re: How to setup FTP port forward ?
«
Reply #1 on:
March 02, 2017, 09:02:32 am »
Yes, you need a "Reverse FTP Proxy" to do that.
What exactly is the problem?
Logged
jjonsson
Newbie
Posts: 7
Karma: 0
Re: How to setup FTP port forward ?
«
Reply #2 on:
March 02, 2017, 11:54:07 pm »
The problem is I don't know how to setup reverse-proxy. Those pictures on the link doesn't look like anything I can find i the interface.
So how do I setup a reverse-proxy for FTP on newest version ?
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: How to setup FTP port forward ?
«
Reply #3 on:
March 03, 2017, 06:23:58 am »
HAProxy may be able to do this? Make sure to open the relevant ports and I don't know of it's easily configurable in the plugin yet. FWIW, here's a hopefully relevant document that you can use to match the HAproxy plugin settings against:
http://www.taitclarridge.com/techlog/2012/09/ftp-load-balanced-through-haproxy.html
Cheers,
Franco
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: How to setup FTP port forward ?
«
Reply #4 on:
March 03, 2017, 07:55:00 am »
ftp-proxy is able to run in reverse proxy mode. However Reverse Proxy mode may not be available in the GUI from the plugin.
Kind regards
Fabian
Logged
faunsen
Full Member
Posts: 102
Karma: 17
Re: How to setup FTP port forward ?
«
Reply #5 on:
March 03, 2017, 09:02:56 am »
OK, maybe the documentation doesn't explain it clear enough.
Make sure you have installed the os-ftp-proxy plugin. See
System->Firmware->Plugins
.
Reload the page if the
FTP Proxy
item doesn't appear in the
Services
Menu after install.
In
Services->FTP Proxy
click the
+
button at bottom right, underneath the table to add a new ftp-proxy.
Now the
Edit Proxy
dialog should open and you can create the proxy as described in the documentation section
Reverse FTP Proxy
.
Does this procedure work?
If not which step fails?
Frank
Logged
jjonsson
Newbie
Posts: 7
Karma: 0
Re: How to setup FTP port forward ?
«
Reply #6 on:
March 06, 2017, 01:38:23 pm »
It seems to work now. Question is though, how do I get FTP TLS to work ?
This is what my client says:
Status: Connecting to X.X.X.X:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 1 of 50 allowed.
Response: 220-Local time is now 13:18. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK.
Status: Initializing TLS...
Error: GnuTLS error -110: The TLS connection was non-properly terminated.
Status: Server did not properly shut down TLS connection
Error: Could not connect to server
Any help is appreciated :-)
Logged
faunsen
Full Member
Posts: 102
Karma: 17
Re: How to setup FTP port forward ?
«
Reply #7 on:
March 06, 2017, 01:47:51 pm »
Unfortunately TLS won't work because the encryption happens between the client and the server.
But the ftp proxy needs to know the port commands to create the appropriate firewall rules.
Consider using SFTP instead.
Regards,
Frank
Logged
djGrrr
Full Member
Posts: 112
Karma: 22
Re: How to setup FTP port forward ?
«
Reply #8 on:
March 06, 2017, 02:44:00 pm »
I have a question here, why use an FTP proxy at all, can you not just use passive mode?
Logged
faunsen
Full Member
Posts: 102
Karma: 17
Re: How to setup FTP port forward ?
«
Reply #9 on:
March 06, 2017, 02:56:29 pm »
Yes, this would work but it's unsafe.
You need to open a port range to your ftp server without a relation to an existing ftp command connection.
These ports are always open regardless if a ftp connection exists or not or what services listen on these ports on the ftp server.
Logged
djGrrr
Full Member
Posts: 112
Karma: 22
Re: How to setup FTP port forward ?
«
Reply #10 on:
March 07, 2017, 12:41:43 am »
Sure, but you can typically specify the port range to use for passive connections, which you could limit to a relatively small range. Also, depending on the OS and firewall in use, you may be able to restrict the user who can listen on said ports (to the ftp deamon's user), or even the executable.
Logged
faunsen
Full Member
Posts: 102
Karma: 17
Re: How to setup FTP port forward ?
«
Reply #11 on:
March 07, 2017, 08:54:34 am »
... or you can use SELinux or whatever.
But then I wonder for what reason the firewall was installed?
If you do all these security measures why not simply put the ftp server to a DMZ?
Logged
djGrrr
Full Member
Posts: 112
Karma: 22
Re: How to setup FTP port forward ?
«
Reply #12 on:
March 07, 2017, 03:27:33 pm »
I am just trying to give a solution that will work without really risking security. ftp-proxy does not support tls, because it needs to be able to see the PASV commands to open the ports automatically. Any other solution I could find, such as proftpd + mod_proxy, while it does support SSL/TLS connections, it does not open ports in the firewall automatically, which means you'd at the very least be left with ports on the firewall that are always open.
There is no way to support active/PORT connections for clients through a firewall if TLS is used.
«
Last Edit: March 07, 2017, 03:53:12 pm by djGrrr
»
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: How to setup FTP port forward ?
«
Reply #13 on:
March 07, 2017, 03:52:03 pm »
It is possible but the FTP-Proxy must be the software implementing the StartTLS connection. That would mean that TLS would be terminated on the firewall. I do not think, that ftp-proxy can do that.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
How to setup FTP port forward ?