FTP still appears to be broken…
After doing a cvs sync this evening, I decided to do some more ftp testing. I am not using dual wan. RELENG_1_SNAPSHOT_03-19-2006 built on Sat Mar 18 01:47:08 UTC 2006
I created a NAT: Port Forward as follows:
WAN TCP 21 (FTP) 10.0.0.5 21 (FTP)
I checked the box to autocreate the fw rules, and two rules were created on the WAN interface:
TCP * * 10.0.0.5 21 (FTP) * NAT
TCP * * 21 (FTP) * NAT
I then made a few connection attempts from a pc outside of my network, which was unsuccessful. The following BLOCKED entries showed up in my logs:
Mar 22 21:40:20 WAN 69.81.X.X:18172 67.171.X.X:21 TCP
Mar 22 21:40:14 WAN 69.81.X.X:18172 67.171.X.X:21 TCP
Mar 22 21:40:11 WAN 69.81.X.X:18172 67.171.X.X:21 TCP
Mar 22 21:39:59 WAN 69.81.X.X:18171 67.171.X.X:21 TCP
Mar 22 21:39:53 WAN 69.81.X.X:18171 67.171.X.X:21 TCP
I know hoba was going to do some testing of ftp in the lab, but not sure if he has had time. I have created other NAT: Port Forward rules using the same method for port 80, 443, and a few others, and all the traffic seems to flow ok. Are there still issues with ftp on this ver?
You need more than only port 21. Your server is using a lot more rules than this. Check what range you have to forward additionally (configurable with most ftp servers). Also try to connect using active mode. Another issue that can pop up is your ftp server has to know it's public IP to tell the client the correct port to connect to. Check your ftp-server documentation. I'm not sure if your rules at WAN are correct. Do you have the ftp-helper enabled at WAN (it's disabled by default at WAN)?
That doesnt make sense tho that port 21 is forwarded, and yet port 21 is the port that is still being blocked. Wouldnt I see other ports being hit on the firewall as well, not just 21 if it wanted more open? Maybe port 20? In the past, even on 9X.X releases, the only rule I had to have was port 21. Im using the same ftp server now as I was back then.
So it looks like by default, the ftp helper is enabled on all interfaces. In order for LAN and WAN to access my ftp server in the DMZ, I had to disable the ftp helper on all interfaces, LAN, WAN, and DMZ. As soon as I turned that off, all is well.