Ftp rules with public IP's no connection on port 20-21



  • Hello all,

    I have a subnet with official IP's and dont get ftp connections running.
    I have no NAT for that net and did an incomming rule from any to DMZ-subnet 20 -21.
    When a client connects I see that port 21, 113 is used but then the connection goes to highports which are blocked. On DMZ side all is allowed to go out : from DMZ to any any
    So I dont understand what is going wrong with it cause I mean openening the ports 20-21 to the subnet should be enough to get a running connection. btw. Im using proftpd.

    Can someone help?

    tia
    stefan



  • ftp happens on more than port 21. Check your server for what portrange it uses additionally to port 21. Allow these (high) ports too.



  • Add this directive to your proftpd.conf within the global section

    PassivePorts            63000 63010

    and then forward those ports.



  • ftp happens on more than port 21. Check your server for what portrange it uses additionally to port 21. Allow these (high) ports too.

    in my proftpd.conf is only port 21 defined!

    Add this directive to your proftpd.conf within the global section

    PassivePorts            63000 63010

    and then forward those ports.

    okay I tried this, and it doesn't work. I never heard that I have to forward highports for ftp connections.
    With other firewalls I had this problem not and never it was necessary to open highports for it.
    I also enable the  "FTP RFC 959 data port violation workaround" in advanced

    you can test @ 212.144.24.130 maybe you can better see what is going on.

    tia
    stefan



  • Maybe this helps to understand how ftp works: http://en.wikipedia.org/wiki/File_Transfer_Protocol



  • This is a good site that may help too.
    http://slacksite.com/other/ftp.html



  • thanks for the good links! But that is not new to me. I think that it is enough to use port 20 + 21 with my proftpd, or not? can someone give me an example pfsense config for it? the easiest way is to to portforwarding or not? But I can not port forward a net only seperate IP's.

    And I gave you a wrong IP please go to 212.144.241.130 for test

    tia
    stefan



  • i can't make a ftp connection with you
    and if there is only port 21 configt in proftpd then it can use all the high ports for the ftp data connection



  • afaik other firewalls can handle ftp-traffic, why pfsense not? I dont get the ftp running, cause I dont want to open highports. Or is that normal that I have to do that? Or is better to use ftp in active mode instead? I find different meanings about using ftp in active or passive mode when the ftp is in Internet. so what is a good setup to run an ftp-server in Internet on what is a good firewall ruleset for it?

    tia
    stefan



  • Please search the forum. Nearly any question concerning ftp has already been answered. pfSense has a ftp proxy that will dynamically open and close ports for ftp when needed and replace the private IP with the correct public one IF configured correctly.


Log in to reply