Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Beginner with PfSense - Port 21 - FTP

    Firewalling
    2
    3
    891
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mauric
      last edited by

      Hello Dear Members

      i try to add to me FW rules the possibilities to connecting FTP sites, but i dont see me mistake. I try now more then one possibilities but without Success.

      -LAN-
      ipv4 tcp - LAN Net - * - * - 20,21 * None - Allow FTP Traffic requests

      i Need to connect for example to following links, and a lot of more from this one's

      • ftp://repos-jnb.psychz.net/
      • ftp://centos.mirror.cdnetworks.com/centos/
      • ftp://ftp.kaist.ac.kr/CentOS/
      • ftp://ftp.netbsd.org

      Or exist here any possibilities so see on with port this link will by connect?

      thanks for any help
      Regards
      Mauri

      –
      2.3.4-RELEASE-p1 (amd64) - PC Engines APU2 - 18 Hours 20 Minutes 23 Seconds

      1 Reply Last reply Reply Quote 0
      • M
        mauric
        last edited by

        i see in the meantime meny People asked this question, so i have try to add NAT Port forrwarding, but me Trouble are that i Need to define "Redirect target ip" ???

        but i Need this dynamic! every internal LAN machine need to connect to WAN public FTP Servers.

        Please for any Help
        Regards
        Mauri

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "every internal LAN machine need to connect to WAN public FTP Servers."

          This works out of the box with passive.. Unless you are blocking ports outbound..  Your rule to allow 20 is pointless since clients would never connect to port 20 of some server on the public internet.  Port 20 in ftp is only ever used as source port in an active connection.  Where the server will connect to the port the client sends from port 20.

          If your going to block outbound ports and only allow standard ports out like 21.. Then you would need to do active connections and install the ftp package.  This allow for the firewall to open up the data port connection from the server into the client.

          So I see it you have few options.  Allow all ports outbound, use passive.. Since client will be allow to talk outbound to the server on whatever data port the server sends.

          If your going to limit outbound ports your only option is to use active with the ftp package.

          You do know atleast some of those are available via http

          http://ftp.netbsd.org/
          http://ftp.kaist.ac.kr/CentOS/

          Are you just wanting to download from them?  One was not using http, the my work proxy blocked it as possible hacking site ;)

          Trying to troubleshoot and allow for ftp through nat requires understanding of active vs passive.  What the server supports and what the client is trying to do.

          Here is great write up on the difference between active and passive and which direction the data connection is made.
          http://slacksite.com/other/ftp.html

          Did you read https://doc.pfsense.org/index.php/FTP_without_a_Proxy

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.