Rules for inbound FTP

Discuss and get help to configure the firewall
Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Rules for inbound FTP

Post by Douglas »

Assuming an internal server at 10.0.10.11 provides FTP services, the following external rules seem appropriate:
firewall external add Ftp21 allow tcp any rweb any 21 nil 10.0.10.11 21
firewall external add Ftp990 allow tcp any rweb any 990 nil 10.0.10.11 990

The following rule, defining a common passive port range, seems not to be acceptable:
firewall external add FtpPassive allow tcp any 50000:50100 nil rweb 10.0.10.11 50000:50100
The issue appears to be the final port range for PAT.

Do we need a rule for each of the 100 possible ports, or is there a better way?
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Rules for inbound FTP

Post by david »

Hi,

Actually there is a better way to allow passive and/or active FTP at the firewall level. All you need to do is to replace the keyword tcp by ftp_passive (or ftp_active). This way, there would be no need to specify even a single rule for related dynamic ports used by FTP. Therefore your firewall rules should look like as follows:

Code: Select all

firewall external add Ftp21 allow ftp_passive any rweb any 21 nil 10.0.10.11
firewall external add Ftp990 allow ftp_passive any rweb any 990 nil 10.0.10.11
It's good to know that CG is capable to keep track of related ports used by FTP. To do so CG uses the Linux Netfilter module.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas »

Thanks. Both my rules above and your's enable an external FTP client to connect to my FTP server, however no directory listing or file transfer is occuring. This usually indicates failure to open the passive ports.
What port range is CG's ftp_passive using or expecting, as I might adjust the server to match that?
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Rules for inbound FTP

Post by david »

As we are in a destination NAT mode, we should not specify the PAT port for FTP and let it to blank (show as nil in the Web GUI) so I fixed firewall rules in my last post to reflect the right configuration. I truly apologize for this mistake.

Regarding passive FTP ports, CG automatically allows specified ports by your FTP server and there is no need to define additional rules for passive FTP ports. On the other words, CG detects dynamic ports related to the main FTP connection and automatically allows them.

Also please double check that you use the passive on your FTP client.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas »

I confirm FTP client uses passive when triggered by the server.
I've removed the PAT value and applied. Still getting no directory listing or file transfer.
User avatar
charles
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris
Contact:

Re: Rules for inbound FTP

Post by charles »

Hi Douglas,

Firewall rules proposed by David seem to be correct. Can you please verify that nothing on your FTP server is blocking incoming FTP requests from the external network? There is a chance that a firewall or access list manager on your FTP server is blocking those FTP requests.

I suggest that you implement a firewall rule that allow any to any and see if you still get no directory listing. That permissive rule would be as follows:

Code: Select all

firewall external add All allow any any any any any nil 10.0.10.11
Kind Regards,
Charles Tajvidi
IT Technical Architect
http://www.cacheguard.com
Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Rules for inbound FTP

Post by Douglas »

Applying that, FTP worked fine but I have lost access to CG via WebGUI and Putty.
How do I list external rules so I can check that
firewall external del All
worked?
All LAN use impacted, so this is urgent please.
User avatar
charles
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris
Contact:

Re: Rules for inbound FTP

Post by charles »

Hi Douglas,

To reset the external firewall rule set, please use the following command:

Code: Select all

firewall external raz
Actually implementing that permissive rule was not a good idea as it forwards all incoming connections to your FTP server. It would be better to completely deactivate the firewall and let CG to act as a router only for your connectivity tests. To deactivate the firewall use the following command:

Code: Select all

mode firewall off
Best Regards,
Charles Tajvidi
IT Technical Architect
http://www.cacheguard.com
User avatar
charles
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris
Contact:

Re: Rules for inbound FTP

Post by charles »

Actually even with that any to any permissive rule, you should not lose the connection with CG itself as in your configuration, firewall rules don't interfere with access rules (rules that control the accesses to CG itself). Can you please check your access rules by using the following command:

Code: Select all

access admin
BR,
Charles Tajvidi
IT Technical Architect
http://www.cacheguard.com
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Rules for inbound FTP

Post by david »

Hi,

I just wanted to highlight that when the command setup is executed at first CG startup, the following access rule is automatically added in order to allow any access to CGs' administration interfaces.

Code: Select all

 access admin add 0.0.0.0 0.0.0.0
The reason that this access rule is added is to allow beginners to have an administrative access to CG regardless of their IP addresses. For a better security level it's highly recommended to remove that default access rule using the following command:

Code: Select all

access admin del 0.0.0.0 0.0.0.0
Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
Post Reply