Help with a firewall rule



  • Hello all,

    I'm new to PfSense and having a little trouble figuring out exactly what I'm doing.

    My company needs to be able to access a specific IP address for FTP downloads of data.

    Here's what they provided me for what my rule should look like:

    Source IP Address = (Company IP)
    Destination IP = 203.242.169.32 (This is the FTPS server IP)
    Service Port:  TCP 10021 TCP 10001
    Allow

    I've set up a rule:

    Action - Pass
    Interface - LAN
    Protocol - TCP
    Source - Type = LAN net
    Destination - Single Host or Alias: 203.242.169.32
    Destination port range - From ANY to ANY

    Still nogo….I feel like I'm missing something obvious.  Or backwards.

    Help?? :)


  • LAYER 8 Netgate

    Where is the FTP server in relation to pfSense?

    Where are the clients connecting to the FTP server in relation to pfSense?

    Does the FTP server support passive mode?

    There is nothing that has to be done to access a remote FTP server that supports passive mode (other than insuring the client is using passive mode) given the starting point of a default configuration that passes everything from LAN hosts.



  • Thank you for your response.

    The FTP server is in another country that is completely independent of my company or our network.

    The clients that need to connect to the FTP server are here in my office, it's probably only one or two machines.  They are local and in the same network as PfSense.

    I don't know the answer about their server supporting passive mode.  But, given the fact that they're having to send us instructions, as well as firewall settings to access their FTP, I'm assuming it doesn't.


  • LAYER 8 Global Moderator

    What is your lan rules currently?  Default is any any and there would be no need to add that rule.  The place of your rule in the order makes a difference.

    Rules are evaluated top down, first rule to trigger wins - no other rules are evaluated.

    With FTP you can run into a problem for the data channel.  Can you get logged into the ftp server, and can not just get data to show up?

    FTP is going to be either passive or active… Here is great link that explains it better than I could in a forum post. http://slacksite.com/other/ftp.html

    So if passive should not be a problem since your client would make the connection outbound.  And any any rule for destination should allow client to connect to whatever passive port the server sends back.

    If active you have a problem because the server makes the data connection to the client.  From source port 20 to some random high port...  There would be no firewall rule to allow for this..  You could add the ftp package to do this for you when it sees the info in the control session.  But if your using ftps then the control channel is encrypted and pfsense can not see the ports to be used and can not open the ports for you... So you would have to open the ports..  The question is what ports are those ;)  Going to be random high, etc.

    This is just one of the reason ftp should just be killed off with FIRE... Tell the copy to run a SFTP (ssh) server - this is way more secure, and only 1 port is required - no active passive data channel that is just PITA through nat - especially when there is nat at both sides which is quite often the case.

    If they don't want to do SFTP - then use https to put/get your data on their server, etc.. That company would say connect to our ftp server in this day an age just points to lazy, stupid company ;)  That you should prob not even be doing business with... They sure and the F don't know the first thing about tech ;) hehehe


  • Galactic Empire

    Can you access this from the Internet ?

    Has the other company got to add your internet facing IP address to their firewall ?



  • => Firewall > Aliase > IP> Bulk Import:
                  Name= allowedFtp
                  Aliases to Import = 10.11.11.253/32                      <= Let just say: 10.11.11.0 your lan range
    => Firewall > Aliase > Ports > Bulk Import:
                  Name = ftpPort
                  Aliases to Import = 10021
                                                  10001
    => Firewall > Rule > Lan:
    action = pass
    interface = lan
    tcp/ip = ipv4
    protocol = tcp/udp                                                              <= i know it, tcp, but still can change back anytime, right?
    source = Aliases:allowedFtp
    destination = 203.242.169.32
    port = other:ftpPort
    check = Log packets that are handled by this rule

    Set your laptop inside allowedFtp group, in this case, 10.11.11.253
    Then try to access ftp server

    if can not access, make sure to check
        1 - a block rule above them
        2 - your lan can talk to dns [lan-address:53]
    if this above 2 is not your problem then try goto:
    => Status> System logs> Firewall:
    set filter: check=block && source=10.11.11.253
    try to access the ftp while you are watching the log

    Hope this help your problem ^^


  • LAYER 8 Global Moderator

    ^ Zero understanding of how ftp works..  Where is the data channel going to be allowed?  Is the user active or passive?  All you did is draw a complicated ASCII mess to put his dest ports in an alias..  And create an alias to put in his machine..

    You are suggesting he make a specific rule for source and dest.. When he says it doesn't work with any any..  That is not going to help his problem.

    For what possible reason should he make the rule tcp/udp??



  • @johnpoz:

    For what possible reason should he make the rule tcp/udp??

    What on earth if he can not even reach there? Just make sure he can go there first. After the log will help him, which port is blocked, he just add to ftpPort!


  • LAYER 8 Global Moderator

    I completely agree – he stated he has a ANY ANY rule...  You creating complicated rules with source and destination using aliases utter pointless when there is a any any rule in play.


Log in to reply