Blocking standard port, enabling custom port
-
2.1.5-RELEASE (amd64)
built on Mon Aug 25 07:44:45 EDT 2014
FreeBSD 8.3-RELEASE-p16I have a passive, LAN-side FTP server listening for connections on standard port 21. Internet side the port is at 126 <censored>. NAT is setup on pfSense to translate / forward incoming port 126 to <ftp server="" ip="">:21 I have NAT setup so that it auto-generates a firewall-WAN rule automatically.
Currently I am able to reach the FTP server from both port 21 and 126. I should only be able to access the FTP site from port 126 (from the Internet)
What did I mess up?
Thanks</ftp></censored>
-
You must have a port forward on ports 21 and 126.
You are testing from the outside right?
-
Yes I am testing from external to my FTP server.
You said port forward on both 21 and 126. I am port forwarding on 126 –> 21. Is that what you mean or two separate rules?
-
What is in port alias FTP_Remap?
What I'm saying is the firewall rule is post-NAT so if you are port forwarding port 21 to 21 and port 126 to 21 it will work like you're seeing.
Perhaps you need to clear states, but I doubt it.
-
Thank you for your help thus far. I appreciate your time.
alias FTP_Remap is port 126 (my external port for FTP).
I understand what you're saying about port forwarding 21 –> 21 but I'm 95% sure I am not doing that. But I agree that that is what it sounds like I am doing.
I will clear the states... maybe that is a good idea.
--- 5 minutes later ---
I reset the states table and then remotely tried my FTP connection via FileZilla. Same problem. I can still connect to FTP via 21 (and 126).
hummmm
-
Then you're port forwarding it to the inside host. It's the only way traffic destined for the public IP can reach the private inside host.
Copy your /tmp/rules.debug to me in a PM.
-
Then you're port forwarding it to the inside host. It's the only way traffic destined for the public IP can reach the private inside host.
Copy your /tmp/rules.debug to me in a PM.
OK, done. Thank you.
-
OP had 1:1 NAT configured too.
