Rules for inbound FTP
Re: Rules for inbound FTP
Thanks, that admin access now deleted.
Awaiting advice on how we solve the passive ports issue, which briefly work whilst that rule was live.
Awaiting advice on how we solve the passive ports issue, which briefly work whilst that rule was live.
Re: Rules for inbound FTP
You may find this useful.
https://wiki.filezilla-project.org/Netw ... ive_mode_2
And this in particular:
"If you do not want to allow incoming connections on all ports, or if you have a NAT router, you need to tell FileZilla Server to use a specific range of ports for passive mode connections. You will have to open these ports in your firewall. If you have a NAT router, you need to forward these ports to the local machine FileZilla Server is installed on. Depending on your router model, you can either forward a range of ports or you need to forward all ports individually.
Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports >= 50000 for passive mode FTP. Due to the nature of TCP (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases. "
https://wiki.filezilla-project.org/Netw ... ive_mode_2
And this in particular:
"If you do not want to allow incoming connections on all ports, or if you have a NAT router, you need to tell FileZilla Server to use a specific range of ports for passive mode connections. You will have to open these ports in your firewall. If you have a NAT router, you need to forward these ports to the local machine FileZilla Server is installed on. Depending on your router model, you can either forward a range of ports or you need to forward all ports individually.
Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports >= 50000 for passive mode FTP. Due to the nature of TCP (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases. "
Re: Rules for inbound FTP
Thank you sharing that FileZilla page with us. Active and passive FTP are quite complex protocols and when I forget the way that they work, I always consult the following explanation: http://slacksite.com/other/ftp.html. I hope that it could help our readers.
It's likely that your FTP server (FileZilla FTP Server?) implements the FTP protocol slightly differently compared to the FTP server that we use in your lab (Linux vsftpd v3.0.3). That may explains why our proposed firewall rules work in our lab but not in your environment.
In this case we can explicitly open passive FTP ports used by your FTP server (5000-5100?). What happens then if you implement the following rules:
BR,
It's likely that your FTP server (FileZilla FTP Server?) implements the FTP protocol slightly differently compared to the FTP server that we use in your lab (Linux vsftpd v3.0.3). That may explains why our proposed firewall rules work in our lab but not in your environment.
In this case we can explicitly open passive FTP ports used by your FTP server (5000-5100?). What happens then if you implement the following rules:
Code: Select all
firewall external add FixPassiveFTP21 allow tcp any rweb any 21 nil 10.0.10.11
firewall external add FixPassiveFTP990 allow tcp any rweb any 990 nil 10.0.10.11
firewall external add DynPassiveFTP allow tcp any rweb any 5000:5100 nil 10.0.10.11
Re: Rules for inbound FTP
Hi,
You are very welcome! However I just tested your configuration in my lab using a FileZilla FTP Server v0.9.60 beta (instead of a vsftpd server) and the firewall rule based on the CG protocol called ftp_passive works very well. Can you please let me know what version of FileZilla FTP Server do you use?
BR,
You are very welcome! However I just tested your configuration in my lab using a FileZilla FTP Server v0.9.60 beta (instead of a vsftpd server) and the firewall rule based on the CG protocol called ftp_passive works very well. Can you please let me know what version of FileZilla FTP Server do you use?
BR,
Re: Rules for inbound FTP
Could that be because your example is within the RFC range, whilst mine and FileZilla's is above i.e. add a zero?
I've not had time to change mine to see if that is the reason, but it would be good for us all to know.
I've not had time to change mine to see if that is the reason, but it would be good for us all to know.
Re: Rules for inbound FTP
I don't think so. Below an extract of the RFC 6056 (https://tools.ietf.org/html/rfc6056):
Best Regards,
The answer lies in the following question: should we consider FTP passive ports as dynamic or as registered? I have also observed that registered ports are sometimes used by clients under Linux. I can't explain that and I think that the discussion around this subject goes beyond the scope of this forum.2.1. Traditional Ephemeral Port Range
The Internet Assigned Numbers Authority (IANA) assigns the unique parameters and values used in protocols developed by the Internet Engineering Task Force (IETF), including well-known ports [IANA]. IANA has reserved the following use of the 16-bit port range of TCP and UDP:
- The Well-Known Ports, 0 through 1023.
- The Registered Ports, 1024 through 49151
- The Dynamic and/or Private Ports, 49152 through 65535
The dynamic port range defined by IANA consists of the 49152-65535 range, and is meant for the selection of ephemeral ports.
Best Regards,
Re: Rules for inbound FTP
Hi,
We are pleased to announce that we just released CacheGuard-OS version EH-1.3.6. This new release fixes the bug that prevented to use CG's IP addresses as the destination IP in firewall rules. Therefore, you can safely replace previously mentioned firewall rules by the following rules:
As you can see, any has been replaced by CG's external IP address (192.168.155.1).
Best Regards,
We are pleased to announce that we just released CacheGuard-OS version EH-1.3.6. This new release fixes the bug that prevented to use CG's IP addresses as the destination IP in firewall rules. Therefore, you can safely replace previously mentioned firewall rules by the following rules:
Code: Select all
firewall external add FixPassiveFTP21 allow tcp any rweb 192.168.155.1 21 nil 10.0.10.11
firewall external add FixPassiveFTP990 allow tcp any rweb 192.168.155.1 990 nil 10.0.10.11
firewall external add DynPassiveFTP allow tcp any rweb 192.168.155.1 5000:5100 nil 10.0.10.11
Best Regards,