• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Port 21 allowed out, but nothing will connect going out

Scheduled Pinned Locked Moved Firewalling
9 Posts 3 Posters 2.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    Mathiau
    last edited by Aug 20, 2009, 10:41 PM

    i have some rules and all of the other rules work, except my port 21 rule

    i have a block all rule then above that is all of myother rules, DNS, HTTP, HTTPS and so on, i added the port 21, ftp rule but nothing on port 21 will connect, from sites in a browser (ftp://) to using an FTP client and connecting to FTP's with both active or passive mode on.

    i do not host an internal FTP either, so i have no NAT rules that could conflict with the rule…

    Any thoughts?  did i miss something, as all of my other rules work just fine, it is only port 21 ftp that wont allow anything through.

    1 Reply Last reply Reply Quote 0
    • M Offline
      Mathiau
      last edited by Aug 21, 2009, 12:16 AM

      i do have the user land proxy turned off already also,.

      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by Aug 21, 2009, 2:37 AM

        You want the FTP proxy on generally.

        1 Reply Last reply Reply Quote 0
        • M Offline
          Mathiau
          last edited by Aug 21, 2009, 3:07 PM

          i have turned it back on (uchecked the disable user land proxy…), but i still can not connect outgoing on port 21 :(

          1 Reply Last reply Reply Quote 0
          • P Offline
            psylo
            last edited by Aug 21, 2009, 10:25 PM

            When you say "Cannot connect", do you mean:

            1. Timeout when you try to access to an anonymous FTP?
            2. Timeout when you try to access to a password protected FTP?

            FTP protocol is based on 2 channels: COMMAND (TCP/21) & DATA (TCP/20 in active mode; TCP/ephemeral in passive mode). The worst thing is that, according to the mode you use, the DATA channel can be inbound (Active mode) or outbound connections (Passive mode). See http://en.wikipedia.org/wiki/FTP for further explanations.

            So it means that if you have configure restrictive outbound rules - only HTTP, HTTPS, DNS and FTP (TCP/21) for example - the COMMAND channel will open normally but not the DATA. And the directory listing is done via the DATA and not the COMMAND.

            What you can do is:

            • Create a rule allowing your LAN to anywhere in any ports.
            • Test a FTP in passive mode.

            Last but not least, FTP is the worst protocol to use with NAT between the client and the server because of these 2 modes.

            Hope this helps.

            1 Reply Last reply Reply Quote 0
            • M Offline
              Mathiau
              last edited by Aug 21, 2009, 11:11 PM

              a time out on both

              i tried our personal ftp with a password, then other sites like ftp://areaca and even from asus.

              i opened port 20 and 21 just to be sure, but that still didnt work :(

              i turned passive mode on and off still a no go,

              could this thread be part of
              http://forum.pfsense.org/index.php/topic,2450.0.html

              ?

              i will try the allow all rule,. enable it again and disable the block all and let you know!

              1 Reply Last reply Reply Quote 0
              • M Offline
                Mathiau
                last edited by Aug 21, 2009, 11:47 PM

                turning on the allow all rule again works and lets me connect to any FTP server…

                i set the rule as TCP / UDP with a port range of 20 to 21, did i set something wrong?

                1 Reply Last reply Reply Quote 0
                • P Offline
                  psylo
                  last edited by Aug 22, 2009, 7:49 AM

                  @Mathiau:

                  turning on the allow all rule again works and lets me connect to any FTP server…

                  So if it works like this, I'm quite sure the passive mode is used.

                  @Mathiau:

                  i set the rule as TCP / UDP with a port range of 20 to 21, did i set something wrong?

                  Yes. Actually, the port 20 is used only with active mode for the DATA channel which is an incoming connection…

                  I don't know how pfSense manages FTP (I do not test it so far yet) but it seems there is an FTP Proxy. Perhaps you can take a look there...

                  1 Reply Last reply Reply Quote 0
                  • P Offline
                    psylo
                    last edited by Aug 22, 2009, 7:51 AM

                    Take a look there: http://doc.pfsense.org/index.php/FTP_Troubleshooting

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received