Allow outbound FTP through PFSense firewall
PFSense is a great tool to have that provides a firewall, traffic shaping capabilities, load balancing and failover, and other features plus fully extensible by way of third party opensource “plugins” and packages that you can install via its web console.
Recently though, some of our devs need to connect via FTP to a remote server. And apparently they’ve encountered some weird problem with FTP:
user@ubuntu:~$ ftp some-server.com
Connected to some-server.com.
220 ProFTPD 1.3.1 Server (some-server.com) [143.44.52.54]
Name (some-server.com:user): ftpuser
331 Password required for ftpuser
Password:
230 User ftpuser logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 Illegal PORT command
ftp: bind: Address already in use
ftp>
A little investigation revealed that in order for FTP to work, we need to have the FTP Helper proxy application working on the LAN interface of our PFSense box, then add a firewall rule, more like a “transparent FTP proxy”. If you get my drift.
Let’s do it
1. In PFSense, click on Interfaces, LAN
2. Make sure that “Disable the userland FTP-Proxy application” is unchecked.
3. Save your setting, and then click “Apply this setting”.
4. We will now add a rule to permit our LAN traffic to access our FTP-Proxy application ports 8000-8030 on 127.0.0.1 . To do so, click on the “+” button at the bottom or at the top, of the list of rules to add your new rule. Make sure that the new rule will be on top of all the other rules.
5. Save your new settings, and apply.
Test your FTP connection.
Enjoy!
Technorati 
pfsense, firewall, rule, ftp, access, outbound
Site Search Tags: pfsense, firewall, rule, ftp, access, outbound
DUDE! You’re a freakin lifesaver. I was bashing my head against the wall trying to fix this…
Comment by Arvin — August 28, 2008 @ 7:22 am
Hi Arvin,
Thanks for dropping by. Glad that it helped you out. It also bugged me for a few hours. Feel free to send a trackback or a link.
Regards!
Comment by hardwyrd — August 28, 2008 @ 9:53 pm
Wow, I had the same problem, But your solution was wow. Thanks a million.
Comment by Edward Odonkor — October 7, 2008 @ 4:41 pm
Thanks a alot this help me a lot.
WOW you are a star
Comment by Edward Odonkor — October 7, 2008 @ 5:08 pm
Just to add one little thing that if load balancing add one more rule to forward FTP traffic to default Gateway or some defined gateway.
Comment by Tariq — November 27, 2008 @ 5:30 pm
WOW! You rock! It worked. I’ve been looking for this fix for a long time.
Thanks.
Comment by Benson — August 17, 2009 @ 5:36 am
thank you man. you’ve really helped me
Comment by r00t — September 8, 2009 @ 6:19 pm
Thank so much, this has been driving me mad!
Comment by Nick — October 7, 2009 @ 6:11 pm