I’m not a big fan of the FTP helper, but in some cases it works. One problem I have with it is that proftpd ends up only having connections from the gateway ip address, so it does not log the source ip address.
To do away with the ftp helper and support passive ftp transfers, I found this pfSense FTP Trouble Shooting page helpful. In a nutshell, I did the following things:
- Disabled the FTP userland helper for all interfaces.
- Specified the masqueraded ip address and a limited port range in /etc/proftpd/proftpd.conf
- Port forwarded port 21 and the port range in pfSense to the proftpd server
It works! I’m planning to install fail2ban now that I have ip addresses I can ban! :-)