Ftp rules with public IP's no connection on port 20-21
-
Hello all,
I have a subnet with official IP's and dont get ftp connections running.
I have no NAT for that net and did an incomming rule from any to DMZ-subnet 20 -21.
When a client connects I see that port 21, 113 is used but then the connection goes to highports which are blocked. On DMZ side all is allowed to go out : from DMZ to any any
So I dont understand what is going wrong with it cause I mean openening the ports 20-21 to the subnet should be enough to get a running connection. btw. Im using proftpd.Can someone help?
tia
stefan -
ftp happens on more than port 21. Check your server for what portrange it uses additionally to port 21. Allow these (high) ports too.
-
Add this directive to your proftpd.conf within the global section
PassivePorts 63000 63010
and then forward those ports.
-
ftp happens on more than port 21. Check your server for what portrange it uses additionally to port 21. Allow these (high) ports too.
in my proftpd.conf is only port 21 defined!
Add this directive to your proftpd.conf within the global section
PassivePorts 63000 63010
and then forward those ports.
okay I tried this, and it doesn't work. I never heard that I have to forward highports for ftp connections.
With other firewalls I had this problem not and never it was necessary to open highports for it.
I also enable the "FTP RFC 959 data port violation workaround" in advancedyou can test @ 212.144.24.130 maybe you can better see what is going on.
tia
stefan -
Maybe this helps to understand how ftp works: http://en.wikipedia.org/wiki/File_Transfer_Protocol
-
This is a good site that may help too.
http://slacksite.com/other/ftp.html -
thanks for the good links! But that is not new to me. I think that it is enough to use port 20 + 21 with my proftpd, or not? can someone give me an example pfsense config for it? the easiest way is to to portforwarding or not? But I can not port forward a net only seperate IP's.
And I gave you a wrong IP please go to 212.144.241.130 for test
tia
stefan -
i can't make a ftp connection with you
and if there is only port 21 configt in proftpd then it can use all the high ports for the ftp data connection -
afaik other firewalls can handle ftp-traffic, why pfsense not? I dont get the ftp running, cause I dont want to open highports. Or is that normal that I have to do that? Or is better to use ftp in active mode instead? I find different meanings about using ftp in active or passive mode when the ftp is in Internet. so what is a good setup to run an ftp-server in Internet on what is a good firewall ruleset for it?
tia
stefan -
Please search the forum. Nearly any question concerning ftp has already been answered. pfSense has a ftp proxy that will dynamically open and close ports for ftp when needed and replace the private IP with the correct public one IF configured correctly.