Port 21 allowed for what seems like no reason



  • Without getting in to too much detail, and admitting that after short searches of this forum I got too many irrelevant results and immediately went to posting a new topic, I would like to ask a question.

    I am running pfsense 1.0.1, and it has three interfaces, wan, lan, and one that i have my wireless access point connected to.

    It all works awesome… until I decided to open some ports from the wireless interface to the lan interface.  I allowed packets from the wireless subnet to the lan subnet on ports 22, 139, and 445, all tcp.  However, when I scan a host on the lan subnet with nmap (tcp scan, nothing else gets through) I see port 21 also open.  The box happens to be listening on port 21 (it is running an ftp server).

    My understanding is that unless things are explicitly allowed, they are not passed.
    My rules look like:
    wireless anything to !Lan, pass (so packets on that net can get to the internet but not the lan)
    wireless anything to Lan tcp 22, pass
    wireless anything to Lan tcp 139, pass
    wireless anything to Lan tcp 445, pass

    So why would port 21 ever even enter into any of this?  It shouldn't remotely matter that the lan box in question is listening on tcp 21.  Unless I allow it, why would it work?  Bug?  PLBKAC?

    Thx all



  • Caused by the FTP proxy redirect.  Do the test from a different host that is not behind a pfSense firewall (if you are testing pfSense's exterior WAN).

    This has been discussed at length on the public lists.


Log in to reply