Passive FPT /\ Dynamic Ports /\ Firewall Rules



  • Hello All,

    I have created 1 port forward rule (FTP -> FTP) + port forward rule to allow the dynamic port range (from dynamic range to internal ftp). This setup works for my passive ftp server. I wonder if this is the correct setup or if this is supposed to work by creating just one port forward rule with NAT reflection turned on?
    Still no traffic from dynamic ports from source to internal ftp is possible. So lot of items in syslog. But ftp seems to work.

    using release 2.1


  • Rebel Alliance Global Moderator

    active passive depends on what the client wants to do.. Its possible they are active and not passive.

    The ftp helper should automatically allow the passive ports that are needed if needed, there should be no reason to create rules for the passive ports your ftp server would use if asked for a passive connection.  Did you configure the ftp server to use a specific range of those ports?



  • @johnpoz:

    active passive depends on what the client wants to do.. Its possible they are active and not passive.

    The ftp helper should automatically allow the passive ports that are needed if needed, there should be no reason to create rules for the passive ports your ftp server would use if asked for a passive connection.  Did you configure the ftp server to use a specific range of those ports?

    First of all thanks for the reply. Spent already a lot of hours trying to get this going.

    I have reinstalled pfsense and recreted the ftp within IIS manager (Windows 2008). The dynamic ports are set to the standard (0-0 which gives a passive port range of 49152 - 65535). The client is set to use passive mode. The ftp server gives back the external ip address to pfsense.

    I'll try to adjust the passive ports of windows 2008 to reflect the > win2008 standards (1025-5000). I see connections being blocked coming from :2229 to 21) -> this also happens when the ftp server is turned off. So maybe the ftp helper provides client with the data ports (??)

    update: changed the passive ports 1025 <> 7025. Cannot connect. Only 2 entries on log, both stemming from external ip port 2250 to WAN address 21.


  • Rebel Alliance Global Moderator

    "I see connections being blocked coming from :2229 to 21) "

    Blocked where? 21 is the control port - and if being blocked by pfsense you don't have your forward setup correctly.

    Or are you seeing that on the ftp server - windows has a firewall, you sure you allowed the traffic on windows firewall?

    Also are you trying this from OUTSIDE your network, or are you trying to use nat reflection to access your internal ftp server with its external IP?

    You should not need your ftp server to return its public IP - the ftp helper in pfsense would change say a pasv connect that lists 192.168.1.100 as the ftp server IP to whatever your pfsense public IP is.



  • @johnpoz:

    "I see connections being blocked coming from :2229 to 21) "

    Blocked where? 21 is the control port - and if being blocked by pfsense you don't have your forward setup correctly.

    Or are you seeing that on the ftp server - windows has a firewall, you sure you allowed the traffic on windows firewall?

    Also are you trying this from OUTSIDE your network, or are you trying to use nat reflection to access your internal ftp server with its external IP?

    You should not need your ftp server to return its public IP - the ftp helper in pfsense would change say a pasv connect that lists 192.168.1.100 as the ftp server IP to whatever your pfsense public IP is.

    I'm trying from two locations, using my smartphone (not via wifi) and via http://www.g6ftpserver.com/en/ftptest.

    Port Forward is setup:

    Source: depening on mobile or website /\ ip address (single hos or alias), source port range = FTP (from/to), destination is WAN address, destination port range = FTP (from/to), redirect target ip is internal address, redirect target port = 21.  NAT reflection is system default (disabled), filter rule association is "add associated filter rule).

    The windows firewall is turned off.

    The difference between a test from the above mentioned website and my mobile is the port range that tries to connect to 21. In case of phone is around 2200, when using the website it falls in the windows 2008 default range.

    The automaticaly created rule is a bit akward though -> external ip (21) destination = internal ip (21).


  • Rebel Alliance Global Moderator

    The source port is going to be RANDOM depending on the client and how many sessions they have had open, etc. etc..  This is NOT the same as the port used in passive or active connection..

    All connections have a source port – so I come from my publicIP:randomport>1024 too your publicIP:21

    That is the control port.  Now depending if active or passive, ether your ftp server will connect to my public IP from port 20 to some port I tell it to connect too

    example

    ftpserver:20 ---> clientpublicIP:randomabove1024

    Or passive

    ftpclient:randomabove1024 ---> ftpserver:randomabove1024orwhateverrandftpsettoforpassive

    You seeing blocks in your firewall to 21 have NOTHING to do with the data connection, and would be the control channel connection which again is going to be some random port the client picks to your port 21.. You could never have any sort of control over what port the source is going to be from the client.

    edit
    To setup ftp should take all of about 30 seconds
    See attached - my nat, and firewall rules and then test from website you gave that your testing from.












  • @johnpoz:

    The source port is going to be RANDOM depending on the client and how many sessions they have had open, etc. etc..  This is NOT the same as the port used in passive or active connection..

    All connections have a source port – so I come from my publicIP:randomport>1024 too your publicIP:21

    That is the control port.  Now depending if active or passive, ether your ftp server will connect to my public IP from port 20 to some port I tell it to connect too

    example

    ftpserver:20 ---> clientpublicIP:randomabove1024

    Or passive

    ftpclient:randomabove1024 ---> ftpserver:randomabove1024orwhateverrandftpsettoforpassive

    You seeing blocks in your firewall to 21 have NOTHING to do with the data connection, and would be the control channel connection which again is going to be some random port the client picks to your port 21.. You could never have any sort of control over what port the source is going to be from the client.

    Hmz…ok I see now. Thinking error. I thought the process went like this  client:21 -> ftp server 21 -> sends back data channel prorts -> open connection on those ports.

    Thanks for helping me out! Appreciate it!


  • Rebel Alliance Global Moderator

    there is really only a handful of protocols that use a specific source port..  Off the top of my head, ntp comes to mind.. quite often this can be clientip:123 –- serverIP:123, you sometimes see zone transfers in dns be setup so source port is also 53.  But I don't think that is default or standard.

    Really the only one of the top of my head were you see sameport -- sameport is ntp.  While normally with ntpdate command you will have client be a randomport to 123.

    In a ftp active connection, yes the server will come from a source of 20, but the client will tell it what port to connect to - normally something random above 1024, since users should not have the rights on the client box to listen on ports < than 1024 since those are privileged ports.

    So your working now?



  • @johnpoz:

    there is really only a handful of protocols that use a specific source port..  Off the top of my head, ntp comes to mind.. quite often this can be clientip:123 –- serverIP:123, you sometimes see zone transfers in dns be setup so source port is also 53.  But I don't think that is default or standard.

    Really the only one of the top of my head were you see sameport -- sameport is ntp.  While normally with ntpdate command you will have client be a randomport to 123.

    In a ftp active connection, yes the server will come from a source of 20, but the client will tell it what port to connect to - normally something random above 1024, since users should not have the rights on the client box to listen on ports < than 1024 since those are privileged ports.

    So your working now?

    Yes!