FTP client triggers port scan rule in firewall

Hi,

I’ve implemented firewall based on Dmitry and Network pro:

http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling

http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling

The problem is that FTP client, Filezilla, is triggering port scan rule and the address gets blocked.

add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d \
    comment="Block port scans"

The customer tried with passive and active mode, active mode blocks the server address.

We’ve tried to increase the psd WeightTreshold from 20 to even 240. But the FTP client still triggers the rule, so we’ve disabled the rule.

What can we do on firewall side? Not on the FTP client. We would like to have port scan rule, but with some modification on the firewall, so that FTP clients are not blocked.

You can bypass the rule for specific FTP traffic. It isn’t clear if the traffic you want to allow is inbound from the internet or outbound from a local client.

I had the same issue where it would block off the FTP server’s IP. I did notice that using the “Connection Type” lists the connection as ftp only for the incoming connections so I’m not sure if setting the Connection Type option to !ftp will solve this 100%. What I have done for now is to also set the Src. Address List to !local-addr.