Blocking standard port, enabling custom port



  • 2.1.5-RELEASE (amd64)
    built on Mon Aug 25 07:44:45 EDT 2014
    FreeBSD 8.3-RELEASE-p16

    I have a passive, LAN-side FTP server listening for connections on standard port 21.  Internet side the port is at 126 <censored>.  NAT is setup on pfSense to translate / forward incoming port 126 to <ftp server="" ip="">:21  I have NAT setup so that it auto-generates a firewall-WAN rule automatically.

    Currently I am able to reach the FTP server from both port 21 and 126.  I should only be able to access the FTP site from port 126 (from the Internet)

    What did I mess up?

    Thanks</ftp></censored>


  • LAYER 8 Netgate

    You must have a port forward on ports 21 and 126.

    You are testing from the outside right?



  • Yes I am testing from external to my FTP server.
    You said port forward on both 21 and 126.  I am port forwarding on 126 –> 21.  Is that what you mean or two separate rules?





  • LAYER 8 Netgate

    What is in port alias FTP_Remap?

    What I'm saying is the firewall rule is post-NAT so if you are port forwarding port 21 to 21 and port 126 to 21 it will work like you're seeing.

    Perhaps you need to clear states, but I doubt it.



  • Thank you for your help thus far.  I appreciate your time.

    alias FTP_Remap is port 126 (my external port for FTP).

    I understand what you're saying about port forwarding 21 –> 21 but I'm 95% sure I am not doing that.  But I agree that that  is what it sounds like I am doing.

    I will clear the states... maybe that is a good idea.

    --- 5 minutes later ---

    I reset the states table and then remotely tried my FTP connection via FileZilla.  Same problem.  I can still connect to FTP via 21 (and 126).

    hummmm


  • LAYER 8 Netgate

    Then you're port forwarding it to the inside host.  It's the only way traffic destined for the public IP can reach the private inside host.

    Copy your /tmp/rules.debug to me in a PM.



  • @Derelict:

    Then you're port forwarding it to the inside host.  It's the only way traffic destined for the public IP can reach the private inside host.

    Copy your /tmp/rules.debug to me in a PM.

    OK, done.  Thank you.


  • LAYER 8 Netgate

    OP had 1:1 NAT configured too.


Log in to reply