OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion (Moderator: fabian) »
  • FTP over TLS
« previous next »
  • Print
Pages: [1]

Author Topic: FTP over TLS  (Read 515 times)

klaasth

  • Newbie
  • *
  • Posts: 24
  • Karma: 1
    • View Profile
FTP over TLS
« on: March 27, 2019, 10:29:00 am »
We use Filezilla to manage our website hosting. The webhosting uses FTP over TLS.  (see attachement)
I can't get FTP over TLS working on our internal network. I have the following allow rule in our network ( see attachement.

Does it mean I have to setup FTP proxy, as described here: https://forum.opnsense.org/index.php?topic=3868.0

Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 955
  • Karma: 122
    • View Profile
Re: FTP over TLS
« Reply #1 on: March 27, 2019, 11:48:48 am »
Can you try in passive mode? Also try a packet capture on the firewall or the client to confirm that the transfer is using the ports that you think it should be using.

Bart...
Logged

klaasth

  • Newbie
  • *
  • Posts: 24
  • Karma: 1
    • View Profile
Re: FTP over TLS
« Reply #2 on: March 27, 2019, 02:02:33 pm »
Bartjsmit how do you start a pacture capture on the firewall? I am using "Firewall"->"Log files" -> "Live View", but I don't get any blocked packages.
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 955
  • Karma: 122
    • View Profile
Re: FTP over TLS
« Reply #3 on: March 27, 2019, 03:08:11 pm »
Interfaces, Diagnostics, Packet Capture. You can save the file and comb through it with Wireshark (other packet trace analysers are available).

Bart...
Logged

fabian

  • Moderator
  • Hero Member
  • *****
  • Posts: 2051
  • Karma: 155
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: FTP over TLS
« Reply #4 on: March 27, 2019, 07:04:49 pm »
FTPS will probably never work (unless the FTP proxy can intercept like squid) because the port is transferred encrypted so OPNsense cannot add the DNAT rule dynamically.
Logged

klaasth

  • Newbie
  • *
  • Posts: 24
  • Karma: 1
    • View Profile
Re: FTP over TLS
« Reply #5 on: March 28, 2019, 03:18:44 pm »
Fabian, thanks for your response.
So, what is then the most convenient way to let SFTP trough the firewall?
Logged

fabian

  • Moderator
  • Hero Member
  • *****
  • Posts: 2051
  • Karma: 155
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: FTP over TLS
« Reply #6 on: March 28, 2019, 05:38:07 pm »
sftp is over SSH, which is easy: TCP/22. The problem is FTPS ("normal" FTP over TLS) which is using a variant of start TLS which is not supported by the standard FTP proxy. Maybe there is another proxy out there, which does support it but this must be compatible with FreeBSD.
Logged

deZillium

  • Newbie
  • *
  • Posts: 47
  • Karma: 9
    • View Profile
    • deZillium
Re: FTP over TLS
« Reply #7 on: April 02, 2019, 09:56:24 pm »
Active FTP: Client connects to the server, decides on a port to use for the data channel (your log is showing the command-side channel) and connects.
Passive FTP: Client connects to the server, server tells it "my public IP is XYZ, use port ABC", your client connects to this for its data channel. This is where everything falls apart in your setup, see below.

That being said: The only way to "easily" punch through a NAT is setting up the FTP server for explicit FTP over TLS  (there isn't any other way to use FTP, I don't care what the RFCs say) with a limited port range for the data channel (EDIT:) in passive mode. Your server will need to answer with its "true" public IP, and a limited port range that is port forwarded to it. Accessing it from the internal network is a matter of correctly doing the translation (handled by OPNSense,shouldn't be an issue, at least wasn't in my tests).
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion (Moderator: fabian) »
  • FTP over TLS
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2