Results 1 to 10 of 10
  1. #1
    Untangler
    Join Date
    Jan 2010
    Posts
    94

    Default Firewall block all / open access to ftp servers

    Hello my dear friends

    I have been running all my Untangle boxes with the Firewall module with some pass rules and then a block rule at the end.

    This allows for only "normal" ports to be accessed, namely 80, 443, 110, etc.


    Now.. i've added port 21, for FTP (because usually people need to download drivers from HP.com and other brands).

    Still, FTP does not work.

    I understand FTP works on some high number random ports.

    I would like to know what rule or rules i have to create, whether they use TCP or UDP and what ports numbers.


    I have no FTP server inside the network. All i want is to make people to be able to download stuff via FTP.


    Thank you.

  2. #2
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,137

    Default

    Try adding port 20 also
    http://www.mdjnet.dk/ftp.html
    The world is divided into 10 kinds of people, who know binary and those not

  3. #3
    Untangle Ninja Mathiau's Avatar
    Join Date
    Feb 2008
    Location
    Costa Frickn' Rica
    Posts
    1,575

    Default

    FTP is a pain because most servers user passive mode and random ports, so it can be hard really to get things working %100 with out opening huge port ranges, you could set IE and other browsers to not use passive mode...

    Really if your in a work location only your IT people should need FTP access for downloading files and then create a shared drive with the drivers on them to share.
    Churchill | UT 10.0 | Dell R610 Server | Dual Xeon 2.8Ghz Quad Cores | 16Gb DDR3 ECC | 1 Intel Dual Port NIC | Integrated Broadcom | Dell Perc 4i | 4 x 73G 2.5 15k SAS raid 5 + 1 hot spare | 100mb/100mb

  4. #4
    Untangler
    Join Date
    Jan 2010
    Posts
    94

    Default

    Quote Originally Posted by Mathiau View Post
    FTP is a pain because most servers user passive mode and random ports, so it can be hard really to get things working %100 with out opening huge port ranges, you could set IE and other browsers to not use passive mode...

    Really if your in a work location only your IT people should need FTP access for downloading files and then create a shared drive with the drivers on them to share.

    I'm following the suggestions made here http://forums.untangle.com/firewall/...html#post25690 by sky-night and will post later if it works.

  5. #5
    Untangler
    Join Date
    Jan 2010
    Posts
    94

    Default

    Quote Originally Posted by ivanradisson View Post
    I'm following the suggestions made here http://forums.untangle.com/firewall/...html#post25690 by sky-night and will post later if it works.

    Well, opening FTP for a single site worked, in this case for HP.com

    It wasnt as simple as nslookup ftp.hp.com because apparently they have more random servers coming up on the moment of the ftp connection (and those are not listed on the lookup) so i had to change the rule a few times.

    I'm happy with the current setup because i can keep ftp closed down (regular users dont need this) with the exception of a few sites that i will be adding manually.


    So, to conclude, the solution relies on creating a rule to pass outgoing TCP traffic on ports 1024 - 65534 to a specific IP or group of IP's.

  6. #6
    Untangle Ninja Mathiau's Avatar
    Join Date
    Feb 2008
    Location
    Costa Frickn' Rica
    Posts
    1,575

    Default

    glad it worked!

    as you saw that can be the problem is nslookup doesn't always give you every possible IP a company may use.
    Churchill | UT 10.0 | Dell R610 Server | Dual Xeon 2.8Ghz Quad Cores | 16Gb DDR3 ECC | 1 Intel Dual Port NIC | Integrated Broadcom | Dell Perc 4i | 4 x 73G 2.5 15k SAS raid 5 + 1 hot spare | 100mb/100mb

  7. #7
    Untanglit
    Join Date
    Mar 2010
    Posts
    21

    Default Open access to ftp servers

    I also need to allow FTP access for an application. Are there sample rules to view, for the Firewall module, that allow certain ports or a range of ports?

    I am running untangle as a bridge with the default rack. Thanks.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    18,069

    Default

    Quote Originally Posted by dwasserman View Post
    Try adding port 20 also
    http://www.mdjnet.dk/ftp.html
    I really wish people would read and stop skimming things, this is from your own link.

    you want to allow any incoming connection to your FTP client from port 20
    So how is an outbound rule going to help again?

    Besides the fact that I haven't seen an ACTIVE FTP implementation source from that port in ages.

    Finally, this subject has been covered in more detail than just about anything else.

    http://forums.untangle.com/tip-day/4...-firewall.html

    The forum search feature is your friend.
    Rob Sandling, BS:SWE, MCP
    Intouch Technology
    Phone: 480-272-9889
    NexgenAppliances.com
    Phone: 866-794-8879

  9. #9
    Untangler
    Join Date
    Jan 2010
    Posts
    94

    Default

    Quote Originally Posted by sky-knight View Post
    I really wish people would read and stop skimming things, this is from your own link.



    So how is an outbound rule going to help again?

    Besides the fact that I haven't seen an ACTIVE FTP implementation source from that port in ages.

    Finally, this subject has been covered in more detail than just about anything else.

    http://forums.untangle.com/tip-day/4...-firewall.html

    The forum search feature is your friend.
    Sky-night, this post of yours is directed at whom ??

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    18,069

    Default

    The quoted individual, just trying to stem the tide of misinformation regarding FTP. These things aren't hard to fix, but they get rather nuts when people are continuing to pass round what should be a universally known fact by now.

    I'm just as guilty as the next guy, and I expect people to bust my chops when I'm wrong. How else will I know to fix it?
    Rob Sandling, BS:SWE, MCP
    Intouch Technology
    Phone: 480-272-9889
    NexgenAppliances.com
    Phone: 866-794-8879

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2