Passive FTP does not pass through ?

ondokuz

allowed ports : 20, 21, 80, 443, mail ports
deny: all ports

ftp://x.x.x.x

not connecting….

test1:
Jan 17 15:59:01  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49673  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59987  TCP:S
Jan 17 15:59:02  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49673  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59987  TCP:S
Jan 17 15:59:04  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49673  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59987  TCP:S

test2:
Jan 17 15:59:44  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49682  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:49485  TCP:S
Jan 17 15:59:45  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49682  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:49485  TCP:S

test3:
Jan 17 16:00:20  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49694  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:64034  TCP:S
Jan 17 16:00:21  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49694  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:64034  TCP:S
Jan 17 16:00:23  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49694  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:64034  TCP:S

test4:
Jan 17 16:01:31  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49701  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59199  TCP:S
Jan 17 16:01:32  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49701  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59199  TCP:S
Jan 17 16:01:34  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49701  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59199  TCP:S

test5:
Jan 17 16:02:05  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49704  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:7689  TCP:S
Jan 17 16:02:06  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49704  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:7689  TCP:S

test6:
Jan 17 16:04:02  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49718  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:37155  TCP:S
Jan 17 16:04:03  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49718  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:37155  TCP:S
Jan 17 16:04:05  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49718  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:37155  TCP:S

test7:
Jan 17 16:05:08  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49721  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:12484  TCP:S
Jan 17 16:05:09  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49721  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:12484  TCP:S
Jan 17 16:05:12  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49721  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:12484  TCP:S

cmb

Passive FTP requires having ports open for the data connection as well, just allowing 21 isn't enough. There is no reason to allow 20 there.

ondokuz

I open other ports? in terms of security? ( torrent vb)  specific passive ftp ports? :(

thank you.

cmb

Yes you'll need ports open for the data connection. Problem is passive FTP ports are server-defined, and could be any of a wide range (1024 through 65535). So where you want to keep egress rules tight, you'll probably want to force FTP use through a proxy (like Squid) only.