How to setup FTP port forward ?

[jjonsson]

I need to access a FTP server behind the opnsense firewall from the Internet (Reverse FTP proxy ?)

Googling gives me these:
https://forum.opnsense.org/index.php?topic=3956.0
https://forum.opnsense.org/index.php?topic=3868.0

But the don't look at all like my interface. I'm running OPNsense v17.1.2-amd64

Any help appreciated...

[faunsen]

Yes, you need a "Reverse FTP Proxy" to do that.
What exactly is the problem?

[jjonsson]

The problem is I don't know how to setup reverse-proxy. Those pictures on the link doesn't look like anything I can find i the interface.
So how do I setup a reverse-proxy for FTP on newest version ?

[franco]

HAProxy may be able to do this? Make sure to open the relevant ports and I don't know of it's easily configurable in the plugin yet. FWIW, here's a hopefully relevant document that you can use to match the HAproxy plugin settings against:

http://www.taitclarridge.com/techlog/2012/09/ftp-load-balanced-through-haproxy.html


Cheers,
Franco

[fabian]

ftp-proxy is able to run in reverse proxy mode. However Reverse Proxy mode may not be available in the GUI from the plugin.

Kind regards

Fabian

[faunsen]

OK, maybe the documentation doesn't explain it clear enough.

• Make sure you have installed the os-ftp-proxy plugin. See System->Firmware->Plugins.
  Reload the page if the FTP Proxy item doesn't appear in the Services Menu after install.
• In Services->FTP Proxy click the + button at bottom right, underneath the table to add a new ftp-proxy.
  
• Now the Edit Proxy dialog should open and you can create the proxy as described in the documentation section Reverse FTP Proxy.

Does this procedure work?
If not which step fails?


Frank

[jjonsson]

It seems to work now. Question is though, how do I get FTP TLS to work ?

This is what my client says:

Status:   Connecting to X.X.X.X:21...
Status:   Connection established, waiting for welcome message...
Response:   220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response:   220-You are user number 1 of 50 allowed.
Response:   220-Local time is now 13:18. Server port: 21.
Response:   220-This is a private system - No anonymous login
Response:   220-IPv6 connections are also welcome on this server.
Response:   220 You will be disconnected after 15 minutes of inactivity.
Command:   AUTH TLS
Response:   234 AUTH TLS OK.
Status:   Initializing TLS...
Error:   GnuTLS error -110: The TLS connection was non-properly terminated.
Status:   Server did not properly shut down TLS connection
Error:   Could not connect to server

Any help is appreciated :-)

[faunsen]

Unfortunately TLS won't work because the encryption happens between the client and the server.
But the ftp proxy needs to know the port commands to create the appropriate firewall rules.

Consider using SFTP instead.


Regards,
Frank

[djGrrr]

I have a question here, why use an FTP proxy at all, can you not just use passive mode?

[faunsen]

Yes, this would work but it's unsafe.
You need to open a port range to your ftp server without a relation to an existing ftp command connection.
These ports are always open regardless if a ftp connection exists or not or what services listen on these ports on the ftp server.

[djGrrr]

Sure, but you can typically specify the port range to use for passive connections, which you could limit to a relatively small range. Also, depending on the OS and firewall in use, you may be able to restrict the user who can listen on said ports (to the ftp deamon's user), or even the executable.

[faunsen]

... or you can use SELinux or whatever.

But then I wonder for what reason the firewall was installed?
If you do all these security measures why not simply put the ftp server to a DMZ?

[djGrrr]

I am just trying to give a solution that will work without really risking security. ftp-proxy does not support tls, because it needs to be able to see the PASV commands to open the ports automatically. Any other solution I could find, such as proftpd + mod_proxy, while it does support SSL/TLS connections, it does not open ports in the firewall automatically, which means you'd at the very least be left with ports on the firewall that are always open.

There is no way to support active/PORT connections for clients through a firewall if TLS is used.

[fabian]

It is possible but the FTP-Proxy must be the software implementing the StartTLS connection. That would mean that TLS would be terminated on the firewall. I do not think, that ftp-proxy can do that.