Passive FTP using FTP profile
Hi Community, I have an F5 Big-IP 16.0.1.1 running on AWS with a FTP server behind running vsftpd. The idea is balance passive ftp publically. So, clients should hit public IP of the F5 for passive ftp. This scenario is running perfectly without an FTP profile, just a tcp profile (all ports) and the option pasv_address on the ftp server pointing to the public IP address of the F5. But I need to have this working with the FTP profile in order to implement extra security for FTP on the F5. I've tried to implement FTP passive load balancing using official documentations like (https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-implementations/load-balancing-passive-mode-ftp-traffic.html ) , but no matter what combination or configuration is implemented on the F5 & the ftp server, if I have the ftp profile the message ("passive mode refused") is always received after request PASV and only works if I use this for internal passive ftp, meaning that I not configure a "pasv_address" on the ftp server, and the client that request the connection is in the same Lan than the F5 & ftp server, resolving everything internally. As a said, i've tried a lot of combinations and settings on the F5 and ftp servers, but nothing works. Could someone give me a little of guidance here? Thanks in advance.
FTp proxy via iRule
Hello, I'm trying to do an anonymous ftp connection through an F5 irule. My logs of the irule look like this: Rule /Common/iRule_ftp_proxy <CLIENT_ACCEPTED>: client FTP accepted Rule /Common/iRule_ftp_proxy <CLIENT_DATA>: client payload - USER anonymous@193.190.198.27 Rule /Common/iRule_ftp_proxy <CLIENT_DATA>: sitename:193.190.198.27 - cmd:USER - uid:anonymous Rule /Common/iRule_ftp_proxy <CLIENT_DATA>: address 193.190.198.27 port 21 Rule /Common/iRule_ftp_proxy <SERVER_CONNECTED>: connected to server Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payload 220-Welcome to the Belnet public FTP server ftp.belnet.be !This server is located in Brussels, Belgium and operated by Belnet, the BelgianEducation and Research Network. If you have any problem, question or mirrorrequest, please send them to ftpmaint@belnet.be.This archive is available through the following means:RSYNC rsync://rsync.belnet.be (IPv4)HTTP http://ftp.belnet.be (IPv4 + IPv6)FTP ftp://ftp.belnet.be (IPv4 + IPv6) Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server found 220 ok Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payloadNote: opening too many parallel connections to this host is considered an abuse.All access is logged.Currently used storage capacity : 34T / 100T on /ftp220 193.190.198.27 FTP server ready Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payload 331 Anonymous login ok, send your complete email address as your password When I check with a wireshark capture on my client; the '331 Anonymous login ok, send your complete email address as your password' never reaches the client. Without the proxy, it does reach the client and filezilla knows how to deal with it. This is my server_data in the irule; when SERVER_DATA { if { $static::debug } { log local0. "server payload [TCP::payload]" } if { [TCP::payload] starts_with "220" }{ if { $static::debug } { log local0. "server found 220 ok" } TCP::respond "USER $uid\r\n" TCP::payload replace 0 [TCP::payload length] "" } TCP::release TCP::collect } I also tried modifying the rule like this: when SERVER_DATA { if { $static::debug } { log local0. "server payload [TCP::payload]" } if { [TCP::payload] starts_with "220" }{ if { $static::debug } { log local0. "server found 220 ok" } TCP::respond "USER $uid\r\n" TCP::payload replace 0 [TCP::payload length] "" } if { [TCP::payload] starts_with "331" }{ TCP::respond "PASS $uid@example.com\r\n" TCP::payload replace 0 [TCP::payload length] "" } TCP::release TCP::collect } This get's me one step further, but I'm still not able to connect. When I check with a wireshark capture on my client; the '331 Anonymous login ok, send your complete email address as your password' never reaches the client. Without the proxy, it does reach the client and filezilla knows how to deal with it. Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payload 230 Anonymous access granted, restrictions apply Why is the '331 server_data' not being forwarded to my client so it can respond to it, or is this the task of the proxy? And why is the '230 server data' not reaching the client? Cheers
external FTP monitor via explicit FTP proxy
Dear all, I have a couple of forward proxy servers load balanced behind the F5 and we are wondering how to monitor the FTP proxy services, so basically we are looking for a way to send a FTP command via an external explicit FTP proxy just like we do with http curl command for web services (see below). Does someone have a solution to monitor FTP via explicit proxy? curl -k -v ${URI} --proxy ${IP}:${PORT} --http1.1 2>&1 | grep -i "${RECV}"
Connection events for ftp data channel
Hi! I'm making an irule for an ftp service that's load balanced. The VIP is using the standard ftp profile. But I'm not seeing any connection events triggering when the data channel is created. Using this simplified irule just logs the first connection to the control channel (port 21), not anything when client connects to VIP for PASV or server connecting to LTM responding to a PORT command. when CLIENT_ACCEPTED { set client_ip [IP::client_addr] set client_port [TCP::client_port] set vip_addr [IP::local_addr] set vip_port [TCP::local_port] log local1. "$client_ip:$client_port -> $vip_addr:$vip_port" } Is there any way to get CLIENT_ACCEPTED triggering for the data channel? Thanks
Whitelist via FTP
Question, I have created whitelist in the past, but have been recently been asked to create a whitelist for FTP clients. THe premise of the rule is, if you come this IP address, get directed to this pool. Else, go to this IP address. Would I have to invoke a client_Accept instead of a HTTP_REQUEST? when HTTP_REQUEST { if {not ([class match [IP::remote_addr] equals Whitelist_Sorry]) } { pool some_FTP_Pool } else { pool some_other_FTP_Pool log local0. "Condition not matched. Go here.." } } class Whitelist_Sorry { { host 10.10.5.139 network 172.16.0.0/16 } }
FTP Proxy , user based forwarding with iRule
Im looking into using a VS as an FTP Proxy towards my backend webserver. Currently i already works for one webserver behind the VS. Im now trying to write an iRule to forward traffic to the right server based on the username the ftp-connection is initiated with. Secondly i need to rewrite the username and remove the web-paramater Example: USER1 connects to with following credential USER1@WEB1 @WEB1 is removed from the credential and forwarded towards pool WEB1 Anybody any ideas how to do this last part ?FTP Proxy : pwd problem
Hello, Im currently using following code snippet for FTP proxy. https://devcentral.f5.com/codeshare/ftp-proxy-lite when CLIENT_ACCEPTED { TCP::respond "220 Welcome to the F5 FTP Proxy\r\n" log local0. "client accepted" TCP::collect } when CLIENT_DATA { set ftplogin [TCP::payload] if { $ftplogin starts_with "USER" } { set cuser [TCP::payload] scan $cuser {%[^@]@%s} garbage remote_ftp_site_addr scan $garbage %s%s cmd uid TCP::payload replace 0 [string length $cuser ] "USER $uid\r\n" node $remote_ftp_site_addr [TCP::local_port] } TCP::release } ` But it looks like the passwd doesnt get passed when connecting to the ftp server. I get this behavior with WINSCP and Filezilla Answer : 530 Please login with USER and PASS. Server Log: > `Thu Mar 7 10:13:12 2019 [pid 17174] FTP command: Client "::ffff:130.0.0.150", "USER ictst" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP response: Client "::ffff:130.0.0.150", "331 Please specify the password." Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP command: Client "::ffff:130.0.0.150", "SYST" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP response: Client "::ffff:130.0.0.150", "530 Please login with USER and PASS." Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP command: Client "::ffff:130.0.0.150", "FEAT" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP response: Client "::ffff:130.0.0.150", "211-Features:" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP response: Client "::ffff:130.0.0.150", " EPRT??" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP response: Client "::ffff:130.0.0.150", " EPSV??" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP response: Client "::ffff:130.0.0.150", " MDTM??" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP response: Client "::ffff:130.0.0.150", " PASV??" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP response: Client "::ffff:130.0.0.150", " REST STREAM??" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP response: Client "::ffff:130.0.0.150", " SIZE??" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP response: Client "::ffff:130.0.0.150", " TVFS??" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP response: Client "::ffff:130.0.0.150", "211 End" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP command: Client "::ffff:130.0.0.150", "PWD" Thu Mar 7 10:13:12 2019 [pid 17174] [ictst] FTP response: Client "::ffff:130.0.0.150", "530 Please login with USER an The Virtual server has a FTP-Profile on it. Anybody have an idea why this could be the case ? Leander
Explicit FTP/S VS - v13.x
I have been asked to provide a VS for explicit FTP/S. We have recently upgraded to v13 (we were pretty far behind) and I have noticed the FTP profile has an option for 'Allow FTPS'. Does anyone have any working configurations for Explicit FTP/S using this profile or working configurations for E FTP/S in general? Thank you...
Passing client IP's for FTP
Our FTP server(behind our f5) has an auto ban feature that is blocking the self ip address of F5 after multiple invalid logins. This in turn blocks all FTP traffic. I have use x-forwarder-for in the past but I cant seem to find the equivalent for FTP. Our workaround is to not auto ban IP addresses but this is a security risk. My solution is to move from Automap/SNAT to None (Routed Mode) and make the F5 the default gateway of the SFTP server (This would pass the real client IP at Layer 3). I seem to have a hit a roadblock on how to exactly do that. Current Config EXT listener (F5 virtual server) 10.10.10.181 > Pool Member (ftp server) 192.168.66.3 Self IP of F5 192.168.1.3 How would I specifically configure the Virtual Forwarding (IP) VS so it sends traffic destined for 10.10.10.181 to 192.168.66.3 while passing the real IP address? Do I need to create a static route on my router since the F5 and server are on different VLANs. When I set the DG to the self IP of F5 all traffic dies to that server (as expected). Any help is appreciated!