Port 21 allowed out, but nothing will connect going out
-
i have some rules and all of the other rules work, except my port 21 rule
i have a block all rule then above that is all of myother rules, DNS, HTTP, HTTPS and so on, i added the port 21, ftp rule but nothing on port 21 will connect, from sites in a browser (ftp://) to using an FTP client and connecting to FTP's with both active or passive mode on.
i do not host an internal FTP either, so i have no NAT rules that could conflict with the rule…
Any thoughts? did i miss something, as all of my other rules work just fine, it is only port 21 ftp that wont allow anything through.
-
i do have the user land proxy turned off already also,.
-
You want the FTP proxy on generally.
-
i have turned it back on (uchecked the disable user land proxy…), but i still can not connect outgoing on port 21 :(
-
When you say "Cannot connect", do you mean:
- Timeout when you try to access to an anonymous FTP?
- Timeout when you try to access to a password protected FTP?
FTP protocol is based on 2 channels: COMMAND (TCP/21) & DATA (TCP/20 in active mode; TCP/ephemeral in passive mode). The worst thing is that, according to the mode you use, the DATA channel can be inbound (Active mode) or outbound connections (Passive mode). See http://en.wikipedia.org/wiki/FTP for further explanations.
So it means that if you have configure restrictive outbound rules - only HTTP, HTTPS, DNS and FTP (TCP/21) for example - the COMMAND channel will open normally but not the DATA. And the directory listing is done via the DATA and not the COMMAND.
What you can do is:
- Create a rule allowing your LAN to anywhere in any ports.
- Test a FTP in passive mode.
Last but not least, FTP is the worst protocol to use with NAT between the client and the server because of these 2 modes.
Hope this helps.
-
a time out on both
i tried our personal ftp with a password, then other sites like ftp://areaca and even from asus.
i opened port 20 and 21 just to be sure, but that still didnt work :(
i turned passive mode on and off still a no go,
could this thread be part of
http://forum.pfsense.org/index.php/topic,2450.0.html?
i will try the allow all rule,. enable it again and disable the block all and let you know!
-
turning on the allow all rule again works and lets me connect to any FTP server…
i set the rule as TCP / UDP with a port range of 20 to 21, did i set something wrong?
-
turning on the allow all rule again works and lets me connect to any FTP server…
So if it works like this, I'm quite sure the passive mode is used.
i set the rule as TCP / UDP with a port range of 20 to 21, did i set something wrong?
Yes. Actually, the port 20 is used only with active mode for the DATA channel which is an incoming connection…
I don't know how pfSense manages FTP (I do not test it so far yet) but it seems there is an FTP Proxy. Perhaps you can take a look there...
-
Take a look there: http://doc.pfsense.org/index.php/FTP_Troubleshooting