PF FTP and PF

B

beren

Hello. I configure access from the WAN to the FTP server, which is located in a local network. Its IP 192.168.0.65
-Freebsd 9.3 gateway. Firewall -pf
In pf.conf add
Code: 
rdr pass on $ext_if proto tcp from any to port 20 -> 192.168.0.65 port 20
rdr pass on $ext_if proto {tcp,udp} from any to port 21 -> 192.168.0.65 port 21
rdr pass on $ext_if proto {tcp,udp} from any to port 5500:5520 -> 192.168.0.65 port 5500:5520

pass quick on $int_if proto {tcp,udp} from any to 192.168.0.65 port 21 keep state
pass quick on $int_if proto {tcp,udp} from any to 192.168.0.65 port 20 keep state
pass quick on $int_if proto {tcp,udp} from any to 192.168.0.65 port 5500:5520 keep state

When connecting Filezilla: Error: Data connection can not be established: ECONNREFUSED - Connection refused by server
From local network all works. What could be the Problem?
 
Instead of what I wrote earlier, it is necessary to add ?
Code: 
rdr on $ext_if proto proto tcp from any to any port 20 -> 192.168.0.65 20
rdr on $ext_if proto tcp from any to any port 21 -> 192.168.0.65 21
rdr on $ext_if proto tcp from any to any port 1024:65535 -> 192.168.0.65 1024:65535

pass quick on $int_if proto {tcp,udp} from any to 192.168.0.65 port 21 keep state
pass quick on $int_if proto {tcp,udp} from any to 192.168.0.65 port 20 keep state
pass quick on $int_if proto {tcp,udp} from any to 192.168.0.65 port 1024:65535 keep state
 
It depends if you're using active or passive FTP. But yes, one of the problems is the random nature of the data channel. Instead of opening pretty much everything most people use a small range (100 ports for example) and configure their FTP server to use only that range of ports. Alternatively you may want to have a look at ftp-proxy(8). It can dynamically open ports as it's able to look inside the protocol and see which ports are being opened.
 
You must log in or register to reply here.
Back
Top