Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    Mar 2008
    Posts
    7

    Default Egress FTP Traffic

    I currently have egress filtering (filtering of outbound traffic) set up on my untangle firewall and it works fantastic, except for one troublesome protocol.

    FTP, after initial connection on TCP port 21, attempts to connect via random TCP ports above 1024, the traffic destine for these ports then gets blocked, causing the FTP session to time-out.

    Other than (1) allowing all egress traffic (which I am not going to do) and (2) installing an FTP proxy (which I do not want to do) I am at a loss for a solution to this problem.

    Any advice would be greatly appreciated.

    -Greg

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    hmm.. you could try to add a bypass rule for outbound tcp port 21 if you don't mind it not being scanned.

    the other connections should be automatically passed as related to the original control session. what client/server setup are you using? is it all sites or just some? PASV and PORT? is the client on the inside?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Mar 2008
    Posts
    7

    Default

    This applies to all FTP traffic. I will explicitly allow port 20 - 21 outbound from all internal hosts to all external servers. when i watch the logs in the firewall i see that the 20 and 21 traffic connects fine however the random ports get blocked.

    I have tested this with both active and passive FTP, as well as with FTP clients connecting to my own external FTP server and FTP download links on websites.

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Yep, it looks like you are correct:
    http://bugzilla.untangle.com/show_bug.cgi?id=1070

    I would just bypass outbound port 21 (and 20 in your case)
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    Mar 2008
    Posts
    7

    Default

    The bypass rule works. It will have to due for now.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2