hello guys
i notice some of FTP server doesn’t open port 21, i have my drop rules and port 21 accept rules place before drop rules so meaning my port 21 can pass, my doubt is some of ftp server use port 21 as a dummy then change to any port before ftp establish connection? anyone have an idea?
thanks
You can easily work around all of that by accepting packets that have a connection-state of ‘related’ and ‘established’ very high up in the ruleset (probably as the first two rules), and ensuring that the FTP helper is enabled under “/ip firewall service-port”. The firewall has helpers that can inspect control channels and recognize the data channels negotiated within them and classify them as ‘related’. If that previous sentence didn’t make sense read up on passive FTP vs active FTP.
thanks fewi for assistance you save my day 