Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Newbie hostdummy's Avatar
    Join Date
    Jul 2008
    Posts
    5

    Default Firewall: FTP LAN 2 WAN ko

    Hi Guys,
    I've installed Untangle for a second time to my customers (rel. 5.3), but I have this problem:

    turning ON the Firewall many applications and services work fine (also a VoIP gateway) but the clients on the LAN can't use FTP. I've open 20-21/tcp, but doesn't work:

    Stato: Risoluzione dell'indirizzo IP in corso per ftp.apple.com
    Stato: Connessione a 17.254.0.15:21 in corso...
    Stato: Connessione stabilita, in attesa del messaggio di benvenuto...
    Risposta: 220 17.254.0.15 FTP server ready
    Comando: USER anonymous
    Risposta: 331 Anonymous login ok, send your complete email address as your password.
    Comando: PASS **************
    Risposta: 230 Anonymous access granted, restrictions apply.
    Comando: SYST
    Risposta: 215 UNIX Type: L8
    Comando: FEAT
    Risposta: 211-Features:
    Risposta: MDTM
    Risposta: REST STREAM
    Risposta: SIZE
    Risposta: 211 End
    Stato: Connesso
    Stato: Lettura elenco cartelle...
    Comando: PWD
    Risposta: 257 "/" is current directory.
    Comando: TYPE I
    Risposta: 200 Type set to I
    Comando: PASV
    Risposta: 227 Entering Passive Mode (17,254,0,15,245,72).
    Comando: LIST


    on the LIST CMD Vs FTP server, the client freeze activity. I've setting all Mac&PC clients PAS Mode, but nothing to do...

    I try others setting:

    - forwarding all traffic from WAN on 21 to 1 client on LAN
    - disable anti-virus on FTP
    - disable some controls on FTP in module Intrusion Prevention
    - disable some controls on dynamics/random ports in the module Protocol Control
    - disable in File Transfer Override the enable processing

    but ZER0... l'FTP from the LAN (internal interface), after installing UT53, work fine only if I disable the Firewall module...

    Ideas please?

    Best Regards
    HD
    Last edited by hostdummy; 07-29-2008 at 03:38 AM.

  2. #2
    Newbie
    Join Date
    Jul 2008
    Posts
    6

    Default

    I having the same issue with my client's FTP on UT 5.3

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,414

    Default

    Why is it that people open port 20 when they want to pass FTP outbound? That port simply isn't used...

    I've said it before and I'll say it again.

    FTP outbound with a "block all" policy will not work unless you allow port 21 outbound as well as every port >1024 to the IP of the FTP server. Welcome to the annoyance and insecurity that is the FTP protocol, UT does attempt to run the FTP helper part of IPTables to dynamically open the data ports but for some reason it doesn't always work.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Newbie hostdummy's Avatar
    Join Date
    Jul 2008
    Posts
    5

    Default

    Hi Sky-Knight,
    sorry for the 20/tcp, now it is closed and erased...

    I write to the UT support and Us answer that:

    Hello, this is *** with the Untangle Support team.
    This issue is regarding the way that ftp works. Even once you pass 20/21 ftp will still be using other ports. Those are just the communication ports, the data port will be selected by either the client or the server depending on which mode you are in. Active or passive.
    http://www.slacksite.com/other/ftp.html
    You will just need to open up the other required data ports on the firewall going out.
    Thanks!
    ***

    Now... if UT push to ADV for UT Vs WatchGuard competitive upgrade, it's no good if the insecure-ftp not working well, 'cause before install UT53 all ours client FTP working fine.

    Regards
    HD

  5. #5
    Newbie
    Join Date
    Jul 2008
    Posts
    7

    Default

    it still does not work for us with ALL ports open outbound

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,414

    Default

    FTP is a rather annoying protocol but I'll give you a quick rundown that should give you enough info to make it work.

    First and foremost, there are two modes of FTP. Active, and PASV. Since you are using NAT somewhere, PASV is your mode. Yes you could use Active but that takes even more work so PASV mode is what we look at.

    Now, how does PASV FTP work?

    First the client makes a connection to the FTP server on port 21. This is the control session that sends commands to the FTP server, authentication, directory changes, etc. Then almost immediately the FTP client makes a second connection to a random port on the ftp server this a data session. Technically speaking the client can make as many of these connections as it wants. Each one will use a different random port! This is why firewalling FTP is such a nightmare, you have no reasonable mechanism to control what ports are used on the client side. It is completely server controlled for PASV FTP.

    Now, the long and short for "block all" and allowing FTP.

    You need to create a rule that allows connections to port 21. Then you have to create another rule that allows all ports >1024 to the same server. The only way to do this securely is to maintain a list of IP addresses of known FTP servers.

    Now you can say that UT isn't a viable alternative to watchguard until this works. Then you'll find someone like me that says even with watchguard this "doesn't" work. I've been there and done that with firewalls from every vender conceivable and seen this system fail. The reason it "sometimes" works is the firewall has an "FTP Helper" that literally snoops around in that control session and looks for the PASV command to be issued, strips the port that the server responds with and dynamically configures the firewall. This is all fine and good, until the FTP server responds in a slightly different way and the darn helper can't read the response thanks to a space or something equally normally harmless. Then there is the ever present problem of the FTP helper application only ever watching for connections on port 21... what happens if you use an FTP server on a port that isn't 21? Guess what... it breaks.

    UT takes a better approach of being layer 7 and attempts to knock out network threats without the need of layer 3 controls. It does a good job, and for 90% of situations the firewall isn't even needed. So UT defaults to "pass all" to get this and other problems out of the way.

    Spiderhost I humbly submit that if your FTP is giving you grief with a pass all rule... you didn't input the rule correctly. Try setting your firewall options to default to pass all and check it again.

    So let's do an example..

    If I want to allow FTP to ftp.hp.com so I can download printer drivers from HP there are 4 rules you have to insert into the firewall to make it work reliably.

    First thing to do is drop to a command line on your client and do nslookup ftp.hp.com to get the IP addresses of thier FTP servers. Yes, that is plural. in this case the return is 15.201.49.21, and 15.193.112.22.

    So now that we have our IP's the rules shown in the attachment must be applied. As soon as those rules are in place even a block all configuration will allow FTP to the two HP servers without incident. Note that I chose HP.com for a reason... their FTP servers break the FTP helper. Please also note that client interface and server interface are populated! You cannot get way with being lazy and using any in these fields. Choose the correct adapter or watch the rule not work!

    Yes, it is tedious, yes it will take you forever to get all the FTP servers you use into the firewall, yes you will have to add more.

    Welcome to the management nightmare that is "block all" on layer 3 and welcome to the reason that UTM appliances like Untangle exist.
    Last edited by sky-knight; 07-29-2008 at 10:32 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    Jul 2008
    Posts
    7

    Default

    tried pass all rule and still nothing....

  8. #8
    Newbie
    Join Date
    Jul 2008
    Posts
    7

    Default

    had to add a rule from external to internal allow any to any at any port, any danger in keeping this rule active? works fine with this rule in place

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,414

    Default

    From External to Internal? That indicates active FTP. Make sure that client is configured for PASV mode and you shouldn't need this rule at all. Allowing all connectivity from the wide world in isn't healthy.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Newbie hostdummy's Avatar
    Join Date
    Jul 2008
    Posts
    5

    Talking

    Okay SN,
    finally I hunderstand 'cause my preferred gw, based on BSD, Bintec (today Funkwerk), have not problem with PSV FTP:

    "The reason it "sometimes" works is the firewall has an "FTP Helper" that literally snoops around in that control session and looks for the PASV command to be issued, strips the port that the server responds with and dynamically configures the firewall."

    I have resolved the problem in the same mode You show me in the picture, maybe is not the final goal, but work...

    You give me a good idea, my fortune are that: the user on LAN must access to many FTP servers (>20), and alls on my class; I like and think that: the really Firewall close/block ALL, not different to be, UT are most powerful with the Protocol Filter and many pre-customized rules, great (only today I'ved blocked 9.8GB of BT bulls...). Now I go to create 3 general rules wit wildcard for subnet and class I have assigned in web farm to the server.

    I think is a good idea if Untangle Corp think for the next release to add other plug-in and setting:

    1. NAT FWD from LAN TO WAN
    2. possibility to create a custom rules in the firewall (ex.: group of many ports or group of many Class)
    3. improve the management of additional IP (whit possibility to create NAT on that), this is a good think for B2B whit class /29 /28 etc, when the customers have many services inside, MTA, DNS, AD, WEB, FTP, etc
    4. improve fault-tolerance on WAN (ex.: I have 2 line whit 2 ISP)

    Yesterday I'ved turned off the WG, and nothing can reactivate...

    Many many thanks to You and all others people at Untangle

    Best Regards
    HD

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2