Firewall - Block All, except HTTP... how to unblock FTP

MikRu · Tue Feb 09, 2016 3:14 pm

Hi, everyone!

If I follow this code:

ros code

/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"  
add chain=forward connection-state=established action=accept comment="allow already established connections"  
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward action=accept protocol=tcp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=udp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=tcp dst-port=80 in-interface=LAN comment "allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=443 in-interface=LAN comment "allow HTTPS"
add chain=forward action=accept protocol=tcp dst-port=20,21 in-interface=LAN comment "allow FTP"
add chain=forward action=drop

It works, clietns can recieve only HTTP, HTTPS, but, FTP - doesnt.
What is a correct way to make usable external Passive and Active FTP?

Sob · Tue Feb 09, 2016 4:38 pm

Do you have FTP conntrack helper enabled in /ip firewall service-port? If you do, it should recognize data connections as related and it should be enough for unencrypted FTP. But it will fail with encrypted connections, you would have to manually allow ports and properly configure clients to use them (that would be for active mode; for passive mode, you would have to allow all outgoing >1024).

MikRu · Tue Feb 09, 2016 4:59 pm

/ip firewall service-port

no, have not enabled it yet. I will try. I was wondering, why my rule with related state not capturing this traffic.

have to allow all outgoing >1024

in this case, it's better to allow all outgoing traffic

Sob · Tue Feb 09, 2016 6:37 pm

Unfortunately, FTP is not firewall-friendly protocol at all, because in addition to primary (control) connection, it uses additional data connections for transfers (inluding directory listings) with completely random ports. It's always either server connecting to client (active mode) or client connecting to server (passive mode) and depending on how strict filtering is on one side or other, there are always some opportunities for problems. As long as control connection is unencrypted and uses default port 21, things work fine in most cases, thanks to the helper scanning control connections for addresses and ports and doing all the magic. But add SSL (and you do want it, because plain transfers readable for anyone on the way are not very good) and the helper is out and you must add all exceptions manually.

MikRu · Tue Feb 09, 2016 6:57 pm

Sob

Thank you for so "opened" answer. I was waiting for some magic ) for FTP, but, as you said, that magic is available only for unencrypted way.

Also, I think about a way, when
1 - client goes to 21 port
2 - MIK adds his IP to "list" in firewall for some time
3 - MIK accepts forwarding of "list" of IP's
4 - after some time, MIK cleares IP "list"

Feklar · Tue Feb 09, 2016 8:47 pm

Sob

Thank you for so "opened" answer. I was waiting for some magic ) for FTP, but, as you said, that magic is available only for unencrypted way.

Also, I think about a way, when
1 - client goes to 21 port
2 - MIK adds his IP to "list" in firewall for some time
3 - MIK accepts forwarding of "list" of IP's
4 - after some time, MIK cleares IP "list"

You could give it a try and see if it works.

add action=accept chain=forward comment="Accept to FTP list" dst-address-list=ftp-remote in-interface=ether5
add action=add-dst-to-address-list address-list=ftp-remote address-list-timeout=2h chain=forward in-interface=ether5 protocol=tcp dst-port=21

Rule 1 will allow all communication to the ftp-remote address list from ether5. The second rule will catch the initial TCP port 21 connection, and add the dst address list to the ftp-remote address list for the specified timeout, 2 hours in this case.

One possible downfall to think about though is all it would take is someone port scanning an IP for port 21 to allow all communication to that IP address list for the timeout with or without an established connection. You could narrow down the 2nd rule to require an established connection, but that would have to be above your established/related rules.

MikRu · Tue Feb 09, 2016 9:04 pm

Feklar

You could narrow down the 2nd rule to require an established connection, but that would have to be above your established/related rules

established/related state of connection does not work with disabled FTP conntrack helper in /ip firewall service-port. I will test it tommorow, with enabled FTP helper.

Feklar · Tue Feb 09, 2016 9:32 pm

You shouldn't need the helper, you are just looking for an already established connection to port 21 for the first rule to match, meaning it's completed the 3 way handshake. The helper is looking inside of that connection to see if there are any related connections to the first. It just needs to be above the "accept established" rules, and it should work. If it is not above that rule in order, then the packet will never be processed by that rule.

Tue Feb 09, 2016 10:45 pm

Is there NAT involved as well? If so, and if there's also encryption, then active mode will never work because the FTP protocol sends the IP address and port number for the client's data connection in-band in the control connection - if the control connection is encrypted, then the protocol helper cannot help. Normally, it inspects the contents of the control session, and when it sees the server send its private IP address for the data socket, the protocol helper modifies this in-band message. The src/dst addresses of the IP header aren't used. Encrypted connections hide this information from the protocol helper so it cannot fix these messages.

MikRu · Wed Feb 10, 2016 8:57 am

with enabled FTP helper

 ip firewall service-port enable ftp

and rule

ip firewall filter add action=accept chain=forward connection-state=related,established protocol=tcp in-interface=LAN

FTP (not secured) works

this is the best solution for now. If anyone have new ideas, please tell

Wed Feb 10, 2016 6:19 pm

Use sftp (ssh-based) instead of ftps.... it only uses a single port.

Of course if this is just an anonymous ftp server and there is no sensitive data being transferred, then good old-fashioned FTP should be fine.
(I think FTP has existed for longer than TCP/IP, actually)

MikRu · Wed Feb 10, 2016 7:22 pm

I need to make FTP work not for me, but for customers behind mikrotik. They may use different FTP.

Wed Feb 10, 2016 7:28 pm

I need to make FTP work not for me, but for customers behind mikrotik. They may use different FTP.

I know customers may want to do different things, but if your NAT configuration only allows certain things to work, then it's unfortunate but what you want and what they want are incompatible.

Like Scotty said, "I canna change the laws of physics."

Firewall - Block All, except HTTP... how to unblock FTP

Firewall - Block All, except HTTP... how to unblock FTP

Re: Firewall - Block All, except HTTP... how to unblock FTP

Re: Firewall - Block All, except HTTP... how to unblock FTP

Re: Firewall - Block All, except HTTP... how to unblock FTP

Re: Firewall - Block All, except HTTP... how to unblock FTP

Re: Firewall - Block All, except HTTP... how to unblock FTP

Re: Firewall - Block All, except HTTP... how to unblock FTP

Re: Firewall - Block All, except HTTP... how to unblock FTP

Re: Firewall - Block All, except HTTP... how to unblock FTP

Re: Firewall - Block All, except HTTP... how to unblock FTP

Re: Firewall - Block All, except HTTP... how to unblock FTP

Re: Firewall - Block All, except HTTP... how to unblock FTP

Re: Firewall - Block All, except HTTP... how to unblock FTP

Who is online