Results 1 to 10 of 10
  1. #1
    Newbie
    Join Date
    Jun 2010
    Posts
    5

    Default enabling lftp to work

    Hello,

    I am testing the Untangle box in bridge mode. In my testing, all services work well, except for one thing and that's a user on the LAN side trying to connect and download files with lftp, which is specifically being used to do FTP over SSL[1]. In the firewall that I'm evaluating Untangle to replace, pfSense, I had the same issue until I elected "Disable the userland FTP-Proxy application" in the configuration.

    Is Untangle also intercepting FTP traffic and attempting to be a proxy for it (even in bridge mode)? If so, how do I turn this feature off? If not, any ideas why its not letting FTP traffic through to the "userland" computer?

    [1] see FTPS entry on wikipedia for specifics

    Regards,

    Michael

  2. #2
    Master Untangler neiby's Avatar
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    603

    Default

    I had a similar problem. The only solution I found was to to create a bypass rule for that traffic. I couldn't figure out what Untangle was doing to the traffic in the first place, but it was definitely breaking it.
    Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.

  3. #3
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    yes, virus blockers scan FTP.

    you can configure this in config->system->protocol and turn off FTP processing.

    It won't allow SSL because then it can't scan the file.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Master Untangler neiby's Avatar
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    603

    Default

    Quote Originally Posted by dmorris View Post
    yes, virus blockers scan FTP.

    you can configure this in config->system->protocol and turn off FTP processing.

    It won't allow SSL because then it can't scan the file.
    Ah, that must be the problem we had, too.
    Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.

  5. #5
    Newbie
    Join Date
    Jun 2010
    Posts
    5

    Default

    Most excellent. That was the fix. Well, now the dilemma of having your cake and eating it, too. How to allow the encrypted files to be downloaded as we know they're being pulled down from a trusted site, but not allow all the other FTP traffic to be unfiltered?

  6. #6
    Master Untangler neiby's Avatar
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    603

    Default

    If all of this traffic is coming from one particular trusted site then you can add a bypass rule for that server's IP address.
    Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    if it is a trusted site, turn that option (SSL/FTP scanning) back on and then add a bypass rule for that specific site so none of its traffic is scanned at all.

    edit: neiby beat me to it!
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,389

    Default

    Bypass rules are magic.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Newbie
    Join Date
    Jun 2010
    Posts
    5

    Default

    Ok, forgive my ignorance (one day 3 on Untangle for me), but where do these bypass rules go? I checked Protocol Control, and briefly looked at Firewall (but it wasn't obvious there, either). I tried adding the site to the Web Filter's Pass Sites list, but that didn't do it. So I'm quite stumped.

  10. #10
    Newbie
    Join Date
    Jun 2010
    Posts
    5

    Default

    Nevermind, it finally dawned on me that "Spyware Blocker" was the place to add the pass rule.

    Thanks for all the quick responses. I'm amazed at how easy it was to get Untangle similarly configured to pfSense AND on top of that, turn on what looks like its going to be a fairly comprehensive IPS management system. Things are looking good so far!

    Michael

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2