Port 21 allowed out, but nothing will connect going out



  • i have some rules and all of the other rules work, except my port 21 rule

    i have a block all rule then above that is all of myother rules, DNS, HTTP, HTTPS and so on, i added the port 21, ftp rule but nothing on port 21 will connect, from sites in a browser (ftp://) to using an FTP client and connecting to FTP's with both active or passive mode on.

    i do not host an internal FTP either, so i have no NAT rules that could conflict with the rule…

    Any thoughts?  did i miss something, as all of my other rules work just fine, it is only port 21 ftp that wont allow anything through.



  • i do have the user land proxy turned off already also,.



  • You want the FTP proxy on generally.



  • i have turned it back on (uchecked the disable user land proxy…), but i still can not connect outgoing on port 21 :(



  • When you say "Cannot connect", do you mean:

    1. Timeout when you try to access to an anonymous FTP?
    2. Timeout when you try to access to a password protected FTP?

    FTP protocol is based on 2 channels: COMMAND (TCP/21) & DATA (TCP/20 in active mode; TCP/ephemeral in passive mode). The worst thing is that, according to the mode you use, the DATA channel can be inbound (Active mode) or outbound connections (Passive mode). See http://en.wikipedia.org/wiki/FTP for further explanations.

    So it means that if you have configure restrictive outbound rules - only HTTP, HTTPS, DNS and FTP (TCP/21) for example - the COMMAND channel will open normally but not the DATA. And the directory listing is done via the DATA and not the COMMAND.

    What you can do is:

    • Create a rule allowing your LAN to anywhere in any ports.
    • Test a FTP in passive mode.

    Last but not least, FTP is the worst protocol to use with NAT between the client and the server because of these 2 modes.

    Hope this helps.



  • a time out on both

    i tried our personal ftp with a password, then other sites like ftp://areaca and even from asus.

    i opened port 20 and 21 just to be sure, but that still didnt work :(

    i turned passive mode on and off still a no go,

    could this thread be part of
    http://forum.pfsense.org/index.php/topic,2450.0.html

    ?

    i will try the allow all rule,. enable it again and disable the block all and let you know!



  • turning on the allow all rule again works and lets me connect to any FTP server…

    i set the rule as TCP / UDP with a port range of 20 to 21, did i set something wrong?



  • @Mathiau:

    turning on the allow all rule again works and lets me connect to any FTP server…

    So if it works like this, I'm quite sure the passive mode is used.

    @Mathiau:

    i set the rule as TCP / UDP with a port range of 20 to 21, did i set something wrong?

    Yes. Actually, the port 20 is used only with active mode for the DATA channel which is an incoming connection…

    I don't know how pfSense manages FTP (I do not test it so far yet) but it seems there is an FTP Proxy. Perhaps you can take a look there...




Log in to reply