FTP in transparent bridge
-
The settings that I posted are not from my server, they are from the instructions I posted here. I haven't done anything with our FTP yet.
I would guess they are wrong for me then.
I do know the FTP helper things are off on both the lan and wan interfaces on our firewall.
I will add the standard port 21 rule and a pass for a range of ports.
How do you determine how many ports you need? I want minimal ports open in the firewall. I tried SFTP on port22 but the available cheap/free SFTP server software either is not stable or crashes under our load. The FTP is used by 20-40 users concurrently at any time and serves 700+ website accounts on that server. Filezilla server handles the load fine but does not do SFTP and I don't want a crazy amount of ports open for this. Any suggestions would be appreciated.
Thanks for the help.
Bob
-
How do you determine how many ports you need? I want minimal ports open in the firewall.
More open ports doesnt mean less secure.
Just only forward the ports the server will actually listen on.
It's as secure as your ftp-server is.@http://en.wikipedia.org/wiki/File_Transfer_Protocol:
Multiple TCP/IP connections are used, one for the control connection, and one for each download, upload, or directory listing. Firewalls may need additional logic and/or configuration changes to account for these connections.
So if you have about 20-40 concurrent users i would open about 120 ports and restrict each user to 3 concurrent connection (in the ftp-configuration).
-
Thanks. I did that and it is working great. Now if someone can tell me how to get the webgui to work on the Wan side, I would be all set.
Thanks
Bob
-
Tried this in the webgui forum and got no response. Maybe someone here will know.
I have searched here and found 2 different rule setups to do this but neither works.
I have my WebGUI set for https on port 81. It worked fine before I changed to transparent bridge mode. I can access it fine from the lan side but I need to access it from the WAN side too.
I have the correct IP (the one that was set to the wan side when I set up the bridge), I am using https://thecorrectip:81 but it does not work.
What am I doing wrong here?
Thanks
Bob
-
What IP do you have on the WAN now?
Basically you can just create a firewall rule that allows access to the WAN-interface-IP on the GUI-port. -
What IP do you have on the WAN now?
Basically you can just create a firewall rule that allows access to the WAN-interface-IP on the GUI-port.I have the ip 66.153.204.254 on the wan and I have the webgui set for https on port 81. I am going to https://66.153.204.254:81 from the outside and it does not work. It works fine from the lan side.
I created a rule on the wan that allows access from any to port 81 but it does not work.
Any suggestions?
Thanks
Bob
-
And you also have the same "allow any to 66.153.204.254" rule on the LAN?
Could you show a screenshot of all rules on the WAN?
-
Here are screenshots of the rules
-
What do you have NAT rules for?
This is after all a bridged setup.
Also why do you have a rule to allow the "lan subnet to anywhere"?Do you have an IP on the LAN interface? You dont need an IP on the LAN interface –> It's part of the bridge.
Also the rules you have on the WAN are.... strange.
You should set as destination only the server on which a service is running.
Right now you open up your network on these ports to EVERY server which is probably not what you want. -
What do you have NAT rules for? - Whatever is there was created automatically from the instructions found in the PDF that tells how to change over to transparent bridge.
Also why do you have a rule to allow the "lan subnet to anywhere"? I believe it was created automatically when I followed the T.B changeover PDF.
Do you have an IP on the LAN interface? The instructions said to assign a different (than wan) IP to the lan side (I used 66.163.204.253) and then after the change it would just ignore the ip. So yes and then no.
Also the rules you have on the WAN are…. strange. Ok. they work for everything except the webgui to wan.
You should set as destination only the server on which a service is running. There are multiple servers all with various services running on them. For example the mail server has a webserver for webmail , an FTP server, and a DNS server along with the mail. There are 3 web servers all with FTP, one with DNS and mysql, and one with GIS apps. There is a MSSQL DB server that has websites on it and FTP. Since each machine does a little of everything, I leave the rules open instead of pointing to a specific machine. There are various other machines sitting behind this box. I inherited it and can't change anything yet. Maybe someday they will let me clean it up.
So what do you think is causing the webgui problem?