cant use ftp

buggs1a · #1 (**permalink**) 07-01-2009, 08:48 AM

why in the blank does asg block so much when a lot of stuff is SAFE? This really ticks me off. In no way should it block me from using ftp. How stupid!! I don't think i should have to set rules for every little damn thing. then I'd end up with hundreds or thousands of rules.

PF is blocking me from using ftp so i can connect to ftp servers out there.

utm_kid · #2 (**permalink**) 07-01-2009, 08:54 AM

Quote:

Originally Posted by buggs1a

why in the blank does asg block so much when a lot of stuff is SAFE? This really ticks me off. In no way should it block me from using ftp. How stupid!! I don't think i should have to set rules for every little damn thing. then I'd end up with hundreds or thousands of rules.

PF is blocking me from using ftp so i can connect to ftp servers out there.

Can u please check/send log
screen shots

Thanks

buggs1a · #3 (**permalink**) 07-01-2009, 09:16 AM

It's the 84 ip one. that is the ftp being blocked. I try to connect to ftp.livedrive.com and it is blocked. 84.45.62.203

2009:07:01-00:43:44 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN"
2009:07:01-00:43:45 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN"
2009:07:01-00:43:46 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN"
2009:07:01-00:43:47 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN"
2009:07:01-00:43:48 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN"
2009:07:01-00:43:49 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN"
2009:07:01-00:43:51 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN"
2009:07:01-00:43:55 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN"
2009:07:01-00:44:03 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN"
2009:07:01-00:44:16 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth0" outitf="eth0" dstmac="00:01:02:71:e8:f2" srcmac="00:00:00:00:00:00" srcip="73.98.106.1" dstip="224.0.0.1" proto="2" length="28" tos="0x00" prec="0xc0" ttl="1"
2009:07:01-00:44:20 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN"
2009:07:01-00:44:21 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN"
2009:07:01-00:44:22 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN"
2009:07:01-00:44:23 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN"
2009:07:01-00:44:24 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN"
2009:07:01-00:44:25 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN"
2009:07:01-00:44:27 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN"
2009:07:01-00:44:31 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN"
2009:07:01-00:44:47 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="17.151.16.20" proto="17" length="76" tos="0x00" prec="0x00" ttl="63" srcport="123" dstport="123"
2009:07:01-00:45:16 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth0" outitf="eth0" dstmac="00:01:02:71:e8:f2" srcmac="00:00:00:00:00:00" srcip="73.98.106.1" dstip="224.0.0.1" proto="2" length="28" tos="0x00" prec="0xc0" ttl="1"
2009:07:01-00:45:21 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49417" dstport="21" tcpflags="SYN"
2009:07:01-00:45:22 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49417" dstport="21" tcpflags="SYN"
2009:07:01-00:45:23 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49417" dstport="21" tcpflags="SYN"
2009:07:01-00:45:24 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49417" dstport="21" tcpflags="SYN"
2009:07:01-00:45:25 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49417" dstport="21" tcpflags="SYN"
2009:07:01-00:45:26 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwru

AngeloC · #4 (**permalink**) 07-02-2009, 07:18 PM

hi buggs,

Astaro stops everything by default, which is intended vs having to read documentation and/or remove configuration in order to close holes opened at the factory by a "default" policy. Since our policy is to log and drop everything, this is expected here.

if you'd like a global outgoing allow policy so you dont have to open "outgoing" ports, just do

source: internal network destination:any service: any action: allow in the packetfilter and place it at the top.

Anytime you see the rule number 60,000+ its the default rule doing the drop (meaning the traffic has passed through every rule on the table and ended up not being matched, so it falls under the default behaviour). This default rule is not visible on the rules list.

wingman · #5 (**permalink**) 07-02-2009, 07:21 PM

Quote:

Originally Posted by AngeloC

Anytime you see the rule number 60,000+ its the default rule doing the drop (meaning the traffic has passed through every rule on the table and ended up not being matched, so it falls under the default behaviour). This default rule is not visible on the rules list.

Thanks for that AngeloC, It will help a lot in future troubleshooting

buggs1a · #6 (**permalink**) 07-03-2009, 01:37 AM

Yes totally! Thank you so much. I do agree with being more secure making us opt in and allow stuff. I am used to other routers and appliances that by default allow lan to wan everything like you suggested I could make a rule for. I prefer that since I'm not needing that explicit security.

Simon Shaw · #7 (**permalink**) 07-05-2009, 01:50 AM

buggs1a, Astaro is a higher end security product.

It should not really be implemented unless you have a clear understanding of how to use it as you could compromise the security of your network.
(Same goes for any firewall setup to be honest).

If you read the FAQs and manuals, or search these forums you should get answers to just about any setup question. (Or even try the online help).

If you are just protecting a small home LAN, maybe just use your routers firewall.

AngeloC · #8 (**permalink**) 07-05-2009, 12:31 PM

Anytime. Happy to help out. Enjoy using Astaro, it can do a lot for you. If you get stuck, let us know.

buggs1a · #9 (**permalink**) 07-06-2009, 06:09 PM

Simon, I know all that except it's hard to find how tos and examples. That is not available for most anything I wanna do in ways I can understand which means do this step 1 then step 2 etc.

The problem with using s home router for a home network is thst it offers no security like the better ones do. No AV and bandwidth counting etc.
Plus i like to learn.

BAlfson · #10 (**permalink**) 07-06-2009, 07:06 PM

The more-secure way to use FTP is by enabling the FTP proxy in the Astaro.

Go to 'Web Security >> FTP'
On the 'Global' tab,
- [Enable] the proxy,
- choose the "Transparent" mode and
- click the folder to drag 'Internal (Network)' into 'Allowed networks'.
-Click [Apply].

On the 'Advanced' tab, in the 'FTP Servers' section,
-click on the folder and
-drag 'Any' into the box for 'Allowed servers'.
-Click [Apply].

Now you should have to trouble with FTP.

When you turn on the FTP Proxy, the Astaro automatically creates the packet filter rules that you need for FTP. The same thing is done in many places in the Astaro. I believe each of the proxies manages its own packet filter rules.

There are some places where you can choose to create your own packet filter rules. This includes VPNs and NAT rules. That requires you to unclick a box for 'Automatic packet filter rules' that you find there.

Cheers - Bob