Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking standard port, enabling custom port

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      awsiemieniec
      last edited by

      2.1.5-RELEASE (amd64)
      built on Mon Aug 25 07:44:45 EDT 2014
      FreeBSD 8.3-RELEASE-p16

      I have a passive, LAN-side FTP server listening for connections on standard port 21.  Internet side the port is at 126 <censored>.  NAT is setup on pfSense to translate / forward incoming port 126 to <ftp server="" ip="">:21  I have NAT setup so that it auto-generates a firewall-WAN rule automatically.

      Currently I am able to reach the FTP server from both port 21 and 126.  I should only be able to access the FTP site from port 126 (from the Internet)

      What did I mess up?

      Thanks</ftp></censored>

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You must have a port forward on ports 21 and 126.

        You are testing from the outside right?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • A
          awsiemieniec
          last edited by

          Yes I am testing from external to my FTP server.
          You said port forward on both 21 and 126.  I am port forwarding on 126 –> 21.  Is that what you mean or two separate rules?

          WANRules.PNG
          WANRules.PNG_thumb
          NAT.PNG
          NAT.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            What is in port alias FTP_Remap?

            What I'm saying is the firewall rule is post-NAT so if you are port forwarding port 21 to 21 and port 126 to 21 it will work like you're seeing.

            Perhaps you need to clear states, but I doubt it.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • A
              awsiemieniec
              last edited by

              Thank you for your help thus far.  I appreciate your time.

              alias FTP_Remap is port 126 (my external port for FTP).

              I understand what you're saying about port forwarding 21 –> 21 but I'm 95% sure I am not doing that.  But I agree that that  is what it sounds like I am doing.

              I will clear the states... maybe that is a good idea.

              --- 5 minutes later ---

              I reset the states table and then remotely tried my FTP connection via FileZilla.  Same problem.  I can still connect to FTP via 21 (and 126).

              hummmm

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Then you're port forwarding it to the inside host.  It's the only way traffic destined for the public IP can reach the private inside host.

                Copy your /tmp/rules.debug to me in a PM.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • A
                  awsiemieniec
                  last edited by

                  @Derelict:

                  Then you're port forwarding it to the inside host.  It's the only way traffic destined for the public IP can reach the private inside host.

                  Copy your /tmp/rules.debug to me in a PM.

                  OK, done.  Thank you.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    OP had 1:1 NAT configured too.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.