Rules for inbound FTP
Rules for inbound FTP
Assuming an internal server at 10.0.10.11 provides FTP services, the following external rules seem appropriate:
firewall external add Ftp21 allow tcp any rweb any 21 nil 10.0.10.11 21
firewall external add Ftp990 allow tcp any rweb any 990 nil 10.0.10.11 990
The following rule, defining a common passive port range, seems not to be acceptable:
firewall external add FtpPassive allow tcp any 50000:50100 nil rweb 10.0.10.11 50000:50100
The issue appears to be the final port range for PAT.
Do we need a rule for each of the 100 possible ports, or is there a better way?
firewall external add Ftp21 allow tcp any rweb any 21 nil 10.0.10.11 21
firewall external add Ftp990 allow tcp any rweb any 990 nil 10.0.10.11 990
The following rule, defining a common passive port range, seems not to be acceptable:
firewall external add FtpPassive allow tcp any 50000:50100 nil rweb 10.0.10.11 50000:50100
The issue appears to be the final port range for PAT.
Do we need a rule for each of the 100 possible ports, or is there a better way?
Re: Rules for inbound FTP
Hi,
Actually there is a better way to allow passive and/or active FTP at the firewall level. All you need to do is to replace the keyword tcp by ftp_passive (or ftp_active). This way, there would be no need to specify even a single rule for related dynamic ports used by FTP. Therefore your firewall rules should look like as follows:
It's good to know that CG is capable to keep track of related ports used by FTP. To do so CG uses the Linux Netfilter module.
Best Regards,
Actually there is a better way to allow passive and/or active FTP at the firewall level. All you need to do is to replace the keyword tcp by ftp_passive (or ftp_active). This way, there would be no need to specify even a single rule for related dynamic ports used by FTP. Therefore your firewall rules should look like as follows:
Code: Select all
firewall external add Ftp21 allow ftp_passive any rweb any 21 nil 10.0.10.11
firewall external add Ftp990 allow ftp_passive any rweb any 990 nil 10.0.10.11
Best Regards,
Re: Rules for inbound FTP
Thanks. Both my rules above and your's enable an external FTP client to connect to my FTP server, however no directory listing or file transfer is occuring. This usually indicates failure to open the passive ports.
What port range is CG's ftp_passive using or expecting, as I might adjust the server to match that?
What port range is CG's ftp_passive using or expecting, as I might adjust the server to match that?
Re: Rules for inbound FTP
As we are in a destination NAT mode, we should not specify the PAT port for FTP and let it to blank (show as nil in the Web GUI) so I fixed firewall rules in my last post to reflect the right configuration. I truly apologize for this mistake.
Regarding passive FTP ports, CG automatically allows specified ports by your FTP server and there is no need to define additional rules for passive FTP ports. On the other words, CG detects dynamic ports related to the main FTP connection and automatically allows them.
Also please double check that you use the passive on your FTP client.
Best Regards,
Regarding passive FTP ports, CG automatically allows specified ports by your FTP server and there is no need to define additional rules for passive FTP ports. On the other words, CG detects dynamic ports related to the main FTP connection and automatically allows them.
Also please double check that you use the passive on your FTP client.
Best Regards,
Re: Rules for inbound FTP
I confirm FTP client uses passive when triggered by the server.
I've removed the PAT value and applied. Still getting no directory listing or file transfer.
I've removed the PAT value and applied. Still getting no directory listing or file transfer.
Re: Rules for inbound FTP
Hi Douglas,
Firewall rules proposed by David seem to be correct. Can you please verify that nothing on your FTP server is blocking incoming FTP requests from the external network? There is a chance that a firewall or access list manager on your FTP server is blocking those FTP requests.
I suggest that you implement a firewall rule that allow any to any and see if you still get no directory listing. That permissive rule would be as follows:
Kind Regards,
Firewall rules proposed by David seem to be correct. Can you please verify that nothing on your FTP server is blocking incoming FTP requests from the external network? There is a chance that a firewall or access list manager on your FTP server is blocking those FTP requests.
I suggest that you implement a firewall rule that allow any to any and see if you still get no directory listing. That permissive rule would be as follows:
Code: Select all
firewall external add All allow any any any any any nil 10.0.10.11
Re: Rules for inbound FTP
Applying that, FTP worked fine but I have lost access to CG via WebGUI and Putty.
How do I list external rules so I can check that
firewall external del All
worked?
All LAN use impacted, so this is urgent please.
How do I list external rules so I can check that
firewall external del All
worked?
All LAN use impacted, so this is urgent please.
Re: Rules for inbound FTP
Hi Douglas,
To reset the external firewall rule set, please use the following command:
Actually implementing that permissive rule was not a good idea as it forwards all incoming connections to your FTP server. It would be better to completely deactivate the firewall and let CG to act as a router only for your connectivity tests. To deactivate the firewall use the following command:
Best Regards,
To reset the external firewall rule set, please use the following command:
Code: Select all
firewall external raz
Code: Select all
mode firewall off
Re: Rules for inbound FTP
Actually even with that any to any permissive rule, you should not lose the connection with CG itself as in your configuration, firewall rules don't interfere with access rules (rules that control the accesses to CG itself). Can you please check your access rules by using the following command:
BR,
Code: Select all
access admin
Re: Rules for inbound FTP
Hi,
I just wanted to highlight that when the command setup is executed at first CG startup, the following access rule is automatically added in order to allow any access to CGs' administration interfaces.
The reason that this access rule is added is to allow beginners to have an administrative access to CG regardless of their IP addresses. For a better security level it's highly recommended to remove that default access rule using the following command:
Best Regards,
I just wanted to highlight that when the command setup is executed at first CG startup, the following access rule is automatically added in order to allow any access to CGs' administration interfaces.
Code: Select all
access admin add 0.0.0.0 0.0.0.0
Code: Select all
access admin del 0.0.0.0 0.0.0.0