Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
FTP over TLS
« previous
next »
Print
Pages: [
1
]
Author
Topic: FTP over TLS (Read 6471 times)
klaasth
Newbie
Posts: 25
Karma: 1
FTP over TLS
«
on:
March 27, 2019, 10:29:00 am »
We use Filezilla to manage our website hosting. The webhosting uses FTP over TLS. (see attachement)
I can't get FTP over TLS working on our internal network. I have the following allow rule in our network ( see attachement.
Does it mean I have to setup FTP proxy, as described here:
https://forum.opnsense.org/index.php?topic=3868.0
Logged
bartjsmit
Hero Member
Posts: 2017
Karma: 194
Re: FTP over TLS
«
Reply #1 on:
March 27, 2019, 11:48:48 am »
Can you try in passive mode? Also try a packet capture on the firewall or the client to confirm that the transfer is using the ports that you think it should be using.
Bart...
Logged
klaasth
Newbie
Posts: 25
Karma: 1
Re: FTP over TLS
«
Reply #2 on:
March 27, 2019, 02:02:33 pm »
Bartjsmit how do you start a pacture capture on the firewall? I am using "Firewall"->"Log files" -> "Live View", but I don't get any blocked packages.
Logged
bartjsmit
Hero Member
Posts: 2017
Karma: 194
Re: FTP over TLS
«
Reply #3 on:
March 27, 2019, 03:08:11 pm »
Interfaces, Diagnostics, Packet Capture. You can save the file and comb through it with Wireshark (other packet trace analysers are available).
Bart...
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: FTP over TLS
«
Reply #4 on:
March 27, 2019, 07:04:49 pm »
FTPS will probably never work (unless the FTP proxy can intercept like squid) because the port is transferred encrypted so OPNsense cannot add the DNAT rule dynamically.
Logged
klaasth
Newbie
Posts: 25
Karma: 1
Re: FTP over TLS
«
Reply #5 on:
March 28, 2019, 03:18:44 pm »
Fabian, thanks for your response.
So, what is then the most convenient way to let SFTP trough the firewall?
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: FTP over TLS
«
Reply #6 on:
March 28, 2019, 05:38:07 pm »
sftp is over SSH, which is easy: TCP/22. The problem is FTPS ("normal" FTP over TLS) which is using a variant of start TLS which is not supported by the standard FTP proxy. Maybe there is another proxy out there, which does support it but this must be compatible with FreeBSD.
Logged
mitsos
Newbie
Posts: 47
Karma: 9
Re: FTP over TLS
«
Reply #7 on:
April 02, 2019, 09:56:24 pm »
Active FTP: Client connects to the server, decides on a port to use for the data channel (your log is showing the command-side channel) and connects.
Passive FTP: Client connects to the server, server tells it "my public IP is XYZ, use port ABC", your client connects to this for its data channel. This is where everything falls apart in your setup, see below.
That being said: The only way to "easily" punch through a NAT is setting up the FTP server for explicit FTP over TLS (there
isn't
any other way to use FTP, I don't care what the RFCs say) with a limited port range for the data channel (EDIT:) in passive mode. Your server will need to answer with its "true" public IP, and a limited port range that is port forwarded to it. Accessing it from the internal network is a matter of correctly doing the translation (handled by OPNSense,shouldn't be an issue, at least wasn't in my tests).
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
FTP over TLS