FTP Helper allowing traffic to blocked network?
-
This may be a dumb question… If so I apologize.
I have a network print server device that I believe may have been comprimized. It had a constant outgoing connection on port 21 to an IP address on the Asian Pacific network.
The first thing I did, was setup rules in pfSense (both LAN and WAN side) to block all traffic to and from that particular IP range. However a few minutes later I noticed in my packet capture, that the print server was still communicating with this IP, even though I thought I had that IP blocked.
After a little investigation, I finally determined that the only way I could prevent devices on my network from establishing an FTP connection with this IP, was to turn off the FTP helper.
Now, while I don't claim to fully understand the FTP helper, but I assume I will at some point need it. So my question would be, what can I do to completly block an IP range on every port (including 21) without disabling the FTP Helper?
Thanks in advance!
-
If you have a vlan switch you could give it's own net.
Else maybe a reject rule from printer to2. If you have a restrictive ruleset or are utilizing policy based routing for multiple-wans then ensure that you have permitted traffic to 127.0.0.1 / ports 8000-8030. IE: allow LAN subnet to 127.0.0.1 8000-8030. This rule should be on top of all other LAN rules that utilize policy based routing.