Passive FTP does not pass through ?



  • allowed ports : 20, 21, 80, 443, mail ports
    deny: all ports

    ftp://x.x.x.x

    not connecting….

    test1:
    Jan 17 15:59:01  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49673  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59987  TCP:S
    Jan 17 15:59:02  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49673  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59987  TCP:S
    Jan 17 15:59:04  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49673  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59987  TCP:S

    test2:
    Jan 17 15:59:44  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49682  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:49485  TCP:S
    Jan 17 15:59:45  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49682  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:49485  TCP:S

    test3:
    Jan 17 16:00:20  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49694  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:64034  TCP:S
    Jan 17 16:00:21  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49694  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:64034  TCP:S
    Jan 17 16:00:23  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49694  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:64034  TCP:S

    test4:
    Jan 17 16:01:31  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49701  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59199  TCP:S
    Jan 17 16:01:32  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49701  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59199  TCP:S
    Jan 17 16:01:34  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49701  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59199  TCP:S

    test5:
    Jan 17 16:02:05  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49704  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:7689  TCP:S
    Jan 17 16:02:06  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49704  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:7689  TCP:S

    test6:
    Jan 17 16:04:02  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49718  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:37155  TCP:S
    Jan 17 16:04:03  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49718  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:37155  TCP:S
    Jan 17 16:04:05  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49718  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:37155  TCP:S

    test7:
    Jan 17 16:05:08  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49721  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:12484  TCP:S
    Jan 17 16:05:09  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49721  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:12484  TCP:S
    Jan 17 16:05:12  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49721  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:12484  TCP:S



  • Passive FTP requires having ports open for the data connection as well, just allowing 21 isn't enough. There is no reason to allow 20 there.



  • I open other ports? in terms of security? ( torrent vb)  specific passive ftp ports? :(

    thank you.



  • Yes you'll need ports open for the data connection. Problem is passive FTP ports are server-defined, and could be any of a wide range (1024 through 65535). So where you want to keep egress rules tight, you'll probably want to force FTP use through a proxy (like Squid) only.


Log in to reply