You can’t connect to FTP server because this is Passive FTP.
In this case port 20 (data) is not used.
FTP server sends data via random unpriviledged port (1024-65535).
Your rule 12 drops this traffic, thats all.
Don’t block outgoing traffic, only incoming.
Thanks for answering… but… I must block all outgoing traffic because I want to control what comes out of my network (some services will be forbidden) that’s why I must use rule 12.
Is there any other solution for my problem instead of disabilng rule 12?
Thanks for answer… I first made a mistake but now that works… I must see what this rules exactly do because I have a lot of packets trough it but nobody is using FTP…
I have one additional question, is possible log rule that drop everything (in my case rule 12)?
This will help me for troubleshooting if my FW dropping something what I want to let go out.
I done it also I added rule ABOVE drop rule (rule 12):
add action=log chain=forward disabled=no log-prefix=FW-DROP src-address=10.10.10.0/24
and this log everything that goes into dropping rule 12 (now it’s rule 13).
If someone want to see what have I done I will post rules… just say…
Thanks for answer… I first made a mistake but now that works… I must see what this rules exactly do because I have a lot of packets trough it but nobody is using FTP…
The router knows if packets belong to a connection between two hosts. Those rules accept packets that belong to connections that the router knows about. All kinds of packets would match that, but only if you already permitted the very beginning of the connection explicitly earlier on. It doesn’t compromise safety, makes processing easier for the firewall (nearly all packets match very early in the ruleset and it can stop processing), and allows you to match packets in passive FTP connections because the router has a helper that can look inside the FTP control channel and determine what ports the data channel will use, and then allow them as a ‘related’ connection.
