FTP firewall rule not working

in4ni · April 20, 2007, 4:09pm

i am using RB532 as a broadband router and i am kinda doing my firewall ruls in reverse order by dropping everything and allowing just the services i want. all my rules work great except my allow FTP rule. seems like the firewall is allowing port 21 but not 20.

Any suggestions

Thank you

\

/ ip firewall filter
add chain=input protocol=tcp dst-port=8291 action=accept comment=""
disabled=no
add chain=input protocol=tcp dst-port=3389-3390 action=accept comment=""
disabled=no
add chain=input protocol=tcp action=drop comment="" disabled=no
add chain=forward src-address-list="no internet" action=drop comment="Drop
internet access (see list)" disabled=no
add chain=forward connection-state=established action=accept comment="Accept
Established Connections" disabled=no
add chain=forward connection-state=invalid action=drop comment="Drop invaled
connections" disabled=no
add chain=forward protocol=tcp dst-port=20-21 action=accept comment="Allow
FTP" disabled=no
add chain=forward protocol=tcp dst-port=80 action=accept comment="Allow Http"
disabled=no
add chain=forward protocol=tcp dst-port=443 action=accept comment="Allow
HTTPS" disabled=no
add chain=forward protocol=tcp dst-port=110 action=accept comment="Allow
POP3" disabled=no
add chain=forward protocol=udp dst-port=123 action=accept comment="Allow NTP"
disabled=no
add chain=forward protocol=tcp dst-port=25 action=accept comment="Allow SMTP"
disabled=no
add chain=forward protocol=udp dst-port=53 action=accept comment="Allow DNS"
disabled=no
add chain=forward protocol=tcp dst-port=23 action=accept comment="Allow
Telnet" disabled=no
add chain=forward protocol=tcp dst-port=3389-3390 action=accept
comment="Allow RDP" disabled=no
add chain=forward protocol=icmp action=accept comment="Allow Ping out"
disabled=no
add chain=forward action=drop comment="Drop Everything else" disabled=no
[admin@edgerouter] ip firewall filter>

in4ni · April 26, 2007, 12:56pm

someone please chime in. This little problem is annoying

sroa · April 26, 2007, 5:13pm

Did you try writing one rule for port 20 and another rule for port 21?

in4ni · April 26, 2007, 5:24pm

yes, i did try seperate rules to no avail. Thank you for the reply

are both ports 20 and 21 TCP ports ?

Thank you

andrewluck · April 26, 2007, 6:28pm

Turn on the FTP helper in Firewall - Service Ports.

Add a rule to allow Related packets in the Forward chain.

Remember that FTP has two modes: normal & passive which manage their data channel in completely different ways.

Once you have this working I suggest you re-visit your Forward chain and specify an input interface for each rule to distinguish between inbound and outbound traffic. Also, specify ‘New connection’ for each rule.

Regards

Andrew

in4ni · April 26, 2007, 6:53pm

allow related connections did it!!

Thank you