FTP Access Problems



  • Hi everybody!

    I'm new to the forums and first I'd like to ask you to have some patience with me, because I don't know if my question was answered before, at least I didn't find the information that I need on the forum.

    I'm using pfSense 2.0 RC3 built on Tue Jun 21 16:50:25 EDT 2011

    I have the following scenario:
    4 interfaces (Internet 1 / Internet 2 / DMZ / LAN)
    I have a FTP server behind the pfSense on the LAN.

    To the FTP server work I've created to NAT Port forwarding rules, forwarding port 21 and range 5500-5700 to my FTP server on IP 192.168.1.3.
    Then I disable the pfftpproxy on system tunables options (value=1).

    The FTP server is working ok in the passive mode without any kind of problem ok!

    Now my problem:

    My LAN Clients don't have full access to the internet, actually all my network can access some selected services on the net (ports 21/20/80/443/53 and so on) in a way that they can use only the essentials services for surfing and e-mail and nothing more.

    I have only 3 IP exceptions that have full access to all the servers on the internet.

    Everything is working, except FTP access. All the 3 IP exceptions can access any FTP server without any kind of problem, but all other can't open any FTP server in active or passive mode.

    I'd like to know what more should I need to grant access to my clients in the way that even the restricted clients can access ftp servers on the internet. I've tried to capture some packages to know what is happening but I didn't have any success.

    I've a lot of experience with linux firewall but pfSense/FreeBSD is very new to me and I don't know what is the equivalent iptraf tool that I can use with pfSense to monitor network traffic and solve this kind of problems.

    Thanks you very much for the attention!!



  • @fneto:

    Hi everybody!

    […]

    My LAN Clients don't have full access to the internet, actually all my network can access some selected services on the net (ports 21/20/80/443/53 and so on) in a way that they can use only the essentials services for surfing and e-mail and nothing more.

    […]

    Did you grant outbound access to FTP servers on the high ports? As you did with the incoming FTP rule…  ::)



  • I didn't have opened, but after I post the message I've tried to open and now the are accessing FTP server on the net, but I've to open ports from 1024 to 65535, but I din't like to open a big huge of outgoing ports, because we'd like to control and block P2P access, skype, torrents and etc…

    Do you have any other clue or tip to help me blocking these kind of programs?? I saw that pfSense now has Layer 7 support but I didn't understand very well how the configuration works!!

    Thanks!


Locked