Port 21 allowed out, but nothing will connect going out

Mathiau · Aug 20, 2009, 10:41 PM

i have some rules and all of the other rules work, except my port 21 rule

i have a block all rule then above that is all of myother rules, DNS, HTTP, HTTPS and so on, i added the port 21, ftp rule but nothing on port 21 will connect, from sites in a browser (ftp://) to using an FTP client and connecting to FTP's with both active or passive mode on.

i do not host an internal FTP either, so i have no NAT rules that could conflict with the rule…

Any thoughts? did i miss something, as all of my other rules work just fine, it is only port 21 ftp that wont allow anything through.

Mathiau · Aug 21, 2009, 12:16 AM

i do have the user land proxy turned off already also,.

cmb · Aug 21, 2009, 2:37 AM

You want the FTP proxy on generally.

Mathiau · Aug 21, 2009, 3:07 PM

i have turned it back on (uchecked the disable user land proxy…), but i still can not connect outgoing on port 21 :(

psylo · Aug 21, 2009, 10:25 PM

When you say "Cannot connect", do you mean:

Timeout when you try to access to an anonymous FTP?
Timeout when you try to access to a password protected FTP?

FTP protocol is based on 2 channels: COMMAND (TCP/21) & DATA (TCP/20 in active mode; TCP/ephemeral in passive mode). The worst thing is that, according to the mode you use, the DATA channel can be inbound (Active mode) or outbound connections (Passive mode). See http://en.wikipedia.org/wiki/FTP for further explanations.

So it means that if you have configure restrictive outbound rules - only HTTP, HTTPS, DNS and FTP (TCP/21) for example - the COMMAND channel will open normally but not the DATA. And the directory listing is done via the DATA and not the COMMAND.

What you can do is:

Create a rule allowing your LAN to anywhere in any ports.
Test a FTP in passive mode.

Last but not least, FTP is the worst protocol to use with NAT between the client and the server because of these 2 modes.

Hope this helps.

Mathiau · Aug 21, 2009, 11:11 PM

a time out on both

i tried our personal ftp with a password, then other sites like ftp://areaca and even from asus.

i opened port 20 and 21 just to be sure, but that still didnt work :(

i turned passive mode on and off still a no go,

could this thread be part of
http://forum.pfsense.org/index.php/topic,2450.0.html

?

i will try the allow all rule,. enable it again and disable the block all and let you know!

Mathiau · Aug 21, 2009, 11:47 PM

turning on the allow all rule again works and lets me connect to any FTP server…

i set the rule as TCP / UDP with a port range of 20 to 21, did i set something wrong?

psylo · Aug 22, 2009, 7:49 AM

@Mathiau:

turning on the allow all rule again works and lets me connect to any FTP server…

So if it works like this, I'm quite sure the passive mode is used.

@Mathiau:

i set the rule as TCP / UDP with a port range of 20 to 21, did i set something wrong?

Yes. Actually, the port 20 is used only with active mode for the DATA channel which is an incoming connection…

I don't know how pfSense manages FTP (I do not test it so far yet) but it seems there is an FTP Proxy. Perhaps you can take a look there...

psylo · Aug 22, 2009, 7:51 AM

Take a look there: http://doc.pfsense.org/index.php/FTP_Troubleshooting