Firewall Rules Specific Order

JohnnyUtah · 11-15-2009, 07:37 PM

Hi, my firewall is set to "block all". Since we run windoze servers... we run a pretty tight firewall. We dont let anything reach the outside or inside if its not needed.

I just open the ports I need opened.

But im having a hard time understanding how the order of the rules (open ports) plays a role in the firewall.

ie: I need to have port 20-21 open for a server in my network to place orders outside our network.

Here was my setup:
I had opened ports, 80, 53, 443, 8080...(the usual).
I put the ports 20-21 in rule #1. That didnt work. My main server couldnt reach out. These ports were still blocked by the untangle server. After hours of messing around, I found that If I moved that rule in the rule #5 spot, it worked!! My server could reach outside the network via port 20-21.

My question is why? how come? Do I need common ports opened up before the ftp ports?

Thanks for your input... im just trying to figure out how the untangle firewall works.

Solignis · 11-15-2009, 08:22 PM

FTP requires more ports than just 20-21. Atleast that is what circulates around the forums from time to time.

sky-knight · 11-16-2009, 12:08 AM

Quote:

Originally Posted by JohnnyUtah

My question is why? how come? Do I need common ports opened up before the ftp ports?

Precisely, I've written books on this topic here on these forums.

Full Detail:

http://forums.untangle.com/tip-day/4...-firewall.html

Short Answer:

PASV mode FTP clients will fire at least 2 connections to any given server. The first, you're aware of, this is a random high numbered local port to the server's TCP port 21 by default. Of course, there is nothing preventing the server admin from moving this particular port somewhere else... but 21 is the default. This is the control session.

Then, when data is actually moved between the client and the server in PASV mode, the client picks a random high numbered port and makes a connection to whatever port the server specified. RFC's indicate this port to be anything greater than 1024. So yes, you need all ports open to allow FTP to function, at least to the IP address of the server.

Please notice, I haven't mentioned port 20 in this post, it is very rare that port 20 is ever used, and it is NEVER used from the client side of the equation. That is misinformation perpetuated by the ignorant, please don't fall into the same trap.

Finally, there are two modes of FTP. Active, and Passive. Active, means the client picks the random port and the server connects to it. Pasv, means the server picks the random port and the client connects to it. Pasv, is by far the most common, as it puts all the port forwarding and network configuration on the server side.

Well, that is... until you get draconian with the firewall. Untangle's firewall module lacks an FTP helper. This FTP helper feature is present in most other commercial grade firewalls... which is why you can get away with simply opening port 21. The firewall helper automagically opens the data ports for you. Don't you love uPnP features in your firewall?

JohnnyUtah · 11-16-2009, 05:45 PM

Thanks Sky for the great reply. Great reading.

Mathiau · 11-18-2009, 02:52 PM

they are in order from desending.

the bottom rule is the last rule, anything before that takes priority

ex

my set up

FTP
EMAIL
DNS
HTTP
Block All Rule

if i move the block all rule (i have it set as default pass with a block all rule to log everything else) if i move it to the top, the other rules are then obsolete.

11-15-2009, 07:37 PM	#1 (permalink)
JohnnyUtah Newbie Join Date: Nov 2009 Posts: 2	Firewall Rules Specific Order Hi, my firewall is set to "block all". Since we run windoze servers... we run a pretty tight firewall. We dont let anything reach the outside or inside if its not needed. I just open the ports I need opened. But im having a hard time understanding how the order of the rules (open ports) plays a role in the firewall. ie: I need to have port 20-21 open for a server in my network to place orders outside our network. Here was my setup: I had opened ports, 80, 53, 443, 8080...(the usual). I put the ports 20-21 in rule #1. That didnt work. My main server couldnt reach out. These ports were still blocked by the untangle server. After hours of messing around, I found that If I moved that rule in the rule #5 spot, it worked!! My server could reach outside the network via port 20-21. My question is why? how come? Do I need common ports opened up before the ftp ports? Thanks for your input... im just trying to figure out how the untangle firewall works.

11-15-2009, 08:22 PM	#2 (permalink)
Solignis Master Untangler Join Date: Jul 2008 Location: 41° 7' 56.8488", -81° 27' 54.8532" Posts: 877	FTP requires more ports than just 20-21. Atleast that is what circulates around the forums from time to time. __________________ According to the development team, though the Untangle modules have been proven 100% safe, the Untangle Device has not: "Do not touch the operational end of the device. Do not look into the operational end of the device. Do not submerge the device in liquid, even partially. Most important, under no circumstances should you- (static)"

11-16-2009, 05:45 PM	#4 (permalink)
JohnnyUtah Newbie Join Date: Nov 2009 Posts: 2	Thanks Sky for the great reply. Great reading.

11-18-2009, 02:52 PM	#5 (permalink)
Mathiau Master Untangler Join Date: Feb 2008 Posts: 339	they are in order from desending. the bottom rule is the last rule, anything before that takes priority ex my set up FTP EMAIL DNS HTTP Block All Rule if i move the block all rule (i have it set as default pass with a block all rule to log everything else) if i move it to the top, the other rules are then obsolete.