I'm not a big fan of the FTP helper, but in some cases it works. One problem I have with it is that proftpd ends up only having connections from the gateway ip address, so it does not log the source ip address.
To do away with the ftp helper and support passive ftp transfers, I found this pfSense FTP Trouble Shooting page helpful. In a nutshell, I did the following things:
- Disabled the FTP userland helper for all interfaces.
- Specified the masqueraded ip address and a limited port range in /etc/proftpd/proftpd.conf
- Port forwarded port 21 and the port range in pfSense to the proftpd server
It works! I'm planning to install fail2ban now that I have ip addresses I can ban! :-)
Thank you, thank you, thank you. I have been struggling with this for over a week now.
Hi Gwen,
I'm glad you found this post helpful. I still wrestle with ftp from time to time and found an awesome project I'm trying to revive and get included into debian:
http://www.proxy-sys.com/blog/ftpproxy/
Essentially its a REAL ftp proxy, not just a firewall workaround. When I say REAL ftp proxy, I mean it can connect FTP users to different back-ends based on their username.
Actually, I just checked out the site:
http://www.ftpproxy.org/
and it looks like the maintainer has published two new releases - the first since 2005. Awesome!!