Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Passive FTP does not pass through ?

    2.2 Snapshot Feedback and Problems - RETIRED
    2
    4
    1292
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      ondokuz last edited by

      allowed ports : 20, 21, 80, 443, mail ports
      deny: all ports

      ftp://x.x.x.x

      not connecting….

      test1:
      Jan 17 15:59:01  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49673  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59987  TCP:S
      Jan 17 15:59:02  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49673  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59987  TCP:S
      Jan 17 15:59:04  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49673  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59987  TCP:S

      test2:
      Jan 17 15:59:44  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49682  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:49485  TCP:S
      Jan 17 15:59:45  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49682  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:49485  TCP:S

      test3:
      Jan 17 16:00:20  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49694  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:64034  TCP:S
      Jan 17 16:00:21  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49694  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:64034  TCP:S
      Jan 17 16:00:23  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49694  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:64034  TCP:S

      test4:
      Jan 17 16:01:31  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49701  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59199  TCP:S
      Jan 17 16:01:32  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49701  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59199  TCP:S
      Jan 17 16:01:34  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49701  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:59199  TCP:S

      test5:
      Jan 17 16:02:05  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49704  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:7689  TCP:S
      Jan 17 16:02:06  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49704  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:7689  TCP:S

      test6:
      Jan 17 16:04:02  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49718  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:37155  TCP:S
      Jan 17 16:04:03  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49718  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:37155  TCP:S
      Jan 17 16:04:05  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49718  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:37155  TCP:S

      test7:
      Jan 17 16:05:08  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49721  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:12484  TCP:S
      Jan 17 16:05:09  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49721  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:12484  TCP:S
      Jan 17 16:05:12  LAN0  Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 172.16.100.100:49721  Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 130.246.19.134:12484  TCP:S

      1 Reply Last reply Reply Quote 0
      • C
        cmb last edited by

        Passive FTP requires having ports open for the data connection as well, just allowing 21 isn't enough. There is no reason to allow 20 there.

        1 Reply Last reply Reply Quote 0
        • O
          ondokuz last edited by

          I open other ports? in terms of security? ( torrent vb)  specific passive ftp ports? :(

          thank you.

          1 Reply Last reply Reply Quote 0
          • C
            cmb last edited by

            Yes you'll need ports open for the data connection. Problem is passive FTP ports are server-defined, and could be any of a wide range (1024 through 65535). So where you want to keep egress rules tight, you'll probably want to force FTP use through a proxy (like Squid) only.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post