FTP Proxy

[franco]

Thanks again to Frank for his work. We merged the code, improving a few things in core.git in order to make the plugin (and others) more flexible in the future and will likely release it in a 16.7.x, but not yet sure which one it'll be.


Cheers,
Franco

[soernt.poppe]

Hi there,

I really appreciate the effort faunsen has done with this Plug-In!

I would like to see that Plug-In within the next 16.7.X release.

Cheers,
Sörnt

[franco]

It was released some minutes ago along with 16.7.8.

And I agree, great work by Faunsen.

I heard he is already working on the next one...

[soernt.poppe]

Great!

Just update to "16.7.8-amd64" without any issues - wounderfull!
And installed the "os-ftp-proxy" PlugIn.

This is my network setup, I want to get an FTP-Connection from my Workstation to the FTP-Server:

Workstation         OPNsense                    FritzBox (Modem/Router)   FTP-Server

                   *-------------------------*  *----------------------*  *---------------*
                   | WAN Fix: 192.168.180.50 |  | WAN: Dyn. IP by ISP  |  | 85.214.41.254 | 
*---------------*  | LAN    : 192.168.1.1    |  | LAN: 192.168.180.1   |  *---------------*
| 192.168.10.50 |  | VLAN10 : 192.168.10.1   |  *----------------------*
*---------------*  *-------------------------*


I am not sure what I need to enter in the fields for a new FTP-Proxy-Server:

Listen address: 127.0.0.1 (preconfigured)
Source address: ?
Reverse address: ?
Reverse port   : 21 (preconfigured)

Can someone help me here please?

Regards,
Sörnt

[faunsen]

Hi Sörnt,

simply use the defaults.

And have look at the FTP Proxy Howto 


Kind regards
Frank

[soernt.poppe]

Hi Frank,

no, leaving the defaults and setting up the NAT Portforwarding as in your How-To, is not working for me.

I guess, the FritzBox may be the problem.

I just configured at the FritzBox the so called "Exposed Host" to target the OPNsense Box (192.180.50).
The FritzBox will forward all incomming traffic to the OPNsense box. That didn't help either.

This is what the FTP-Client is telling me, if I try to open, list and transfer a file

"The authentification is successfull...." but than later...
.
.
MLSD
PORT failed, try PASV mode!
PASV
TYPE I
299 Type set to I.
PASV
227 Entering Passive Mode (85,214,41,245,245,238)
PORT 192,168,10,10,218,6
2000 Port command succesfull
STOR IMG_4711.JPG     <- Try to transfer an jpg - file.
425 Cannot open data connection.


This is what the FTP-Server is telling me:

[TIME] new connection from XXXXX on 85.214.41.254:21
[TIME] hostname resolved : dyndsl-XXXXXX.ewe-ip-backbone.de
[TIME] sending welcome message.
[TIME] 220 Gene6 FTP Server v3.10.0 (Build 2) ready...
[TIME] USER userXYZ
[TIME] userXYZ, 331 Password required for userXYZ.
[TIME] userXYZ, PASS ****
[TIME] userXYZ, logged in as "userXYZ".
[TIME] userXYZ, 230 User userXYZ logged in.
[TIME] userXYZ, SYST
[TIME] userXYZ, 215 UNIX Type: L8
[TIME] userXYZ, FEAT
[TIME] userXYZ, 211-Extensions supported:
[TIME] userXYZ,  AUTH TLS
[TIME] userXYZ,  CCC
[TIME] userXYZ,  CLNT
[TIME] userXYZ,  CPSV
[TIME] userXYZ,  EPRT
[TIME] userXYZ,  EPSV
[TIME] userXYZ,  MDTM
[TIME] userXYZ,  MFCT
[TIME] userXYZ,  MFMT
[TIME] userXYZ,  MLST type*;size*;create;modify*;
[TIME] userXYZ,  MODE Z
[TIME] userXYZ,  PASV
[TIME] userXYZ,  PBSZ
[TIME] userXYZ,  PROT
[TIME] userXYZ,  REST STREAM
[TIME] userXYZ,  SIZE
[TIME] userXYZ,  SSCN
[TIME] userXYZ,  TVFS
[TIME] userXYZ,  UTF8
[TIME] userXYZ,  XCRC "filename" SP EP
[TIME] userXYZ,  XMD5 "filename" SP EP
[TIME] userXYZ,  XSHA1 "filename" SP EP
[TIME] userXYZ, 211 End.
[TIME] userXYZ, CLNT Total Commander (UTF-8)
[TIME] userXYZ, 200 Noted.
[TIME] userXYZ, OPTS UTF8 ON
[TIME] userXYZ, 200 UTF8 OPTS ON
[TIME] userXYZ, PWD
[TIME] userXYZ, 257 "/" is current directory.
[TIME] userXYZ, TYPE A
[TIME] userXYZ, 200 Type set to A.
[TIME] userXYZ, MODE Z
[TIME] userXYZ, 200 Mode Z ok.
[TIME] userXYZ, PORT 91,96,35,57,217,235
[TIME] userXYZ, 200 Port command successful.
[TIME] userXYZ, MLSD
[TIME] userXYZ, 425 Cannot open data connection.
[TIME] userXYZ, PASV
[TIME] userXYZ, 227 Entering Passive Mode (85,214,41,254,227,226)
[TIME] userXYZ, STOR IMG_1693.JPG
[TIME] userXYZ, asked to upload '/IMG_4711.JPG' -> 'D:\IMG_4711.JPG' resuming at 0 --> Access allowed.
[TIME] userXYZ, 425 Cannot open data connection. 
[TIME] userXYZ, TYPE A
[TIME] userXYZ, 200 Type set to A.
[TIME] userXYZ, PORT 91,96,35,57,218,8
[TIME] userXYZ, 200 Port command successful.
[TIME] userXYZ, MLSD
[TIME] userXYZ, 425 Cannot open data connection.
[TIME] userXYZ, PASV
[TIME] userXYZ, 227 Entering Passive Mode (85,214,41,254,45,46)
[TIME] userXYZ, 421 Connection closed, timed out.
[TIME] userXYZ, disconnected. (00d00:05:01)

If i connect my Workstation via LAN to the FritzBox, I have no issues.
Can you please guide me here to get FTP working?

Kind regards,
Sörnt

[faunsen]

The server output looks ok.
Fritz is at 91.96.35.57 and the server at 85.214.41.254.

Ok, we need some more diagnostic here.

Please add a proxy listening on port 8022 (we need it to keep the anchors in the ruleset).
Then stop the proxy on 8021.
Connect the OPNsense Box via ssh and open a shell.

Test the existence of the anchors
# grep ftp-proxy /tmp/rules.debug

The output should look like this
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
anchor "ftp-proxy/*"

Then start the 8021 proxy in debug mode
# /usr/sbin/ftp-proxy -b 127.0.0.1 -p 8021 -D 7 -d

Now start a FTP session and post the output of the proxy together with the server log.
Take care of your passwords in the output.

[franco]

Careful: if no service is running (stopped) the anchors are removed and can't be found like suggested.

Edit: Frank took care of that, sorry. Just to reiterate: a proxy must be running to get an effective reading.

[soernt.poppe]

Hi Frank,

It is working fine here now. That was stupid mistake on my side

My workstation is at the VLAN Interface, and I just blindly followed the HowTo. I need to use the VLAN Interface and not the LAN Interface to configure the Port Forwarding *facepalm*

I woundered why I didn't see any output of the debug proxy at the console, I changed the switch ports to the LAN Interface and et voilà I got some output and the FTP-Client was working....

Thank you for your help and this wounderfull Plug-In!

Kind regards,
Sörnt

[faunsen]

Cool, again what learned