Setting up FTP on different port

Eli_DS · #1 (**permalink**) 06-09-2009, 04:42 PM

Dear All,

I have an FTP Server with ip adress: 10.*.*.36 (DMZ):
The ftp server is setup to listen to port 21 (gladly willing to change to 15470 if required)
The ftp server is setup with IIS
Now i would like when entering the following ip adress in IE:
FTP://62.*.*.237:15470
that this adress connects to the ftp server.

will it be required to set up an FTP Proxy ?
What should be the correct DNAT / SNAT setup ?
Which packet filters should i use ?
Intrusion protection is on / off ?

Thanks in advance for your assistance !
Eli_DS

BAlfson · #2 (**permalink**) 06-09-2009, 08:02 PM

Intrusion Protection should not affect this. You will need a DNAT rule for traffic that fits 'Any -> FTP -> [62.*.*.237]' and it should have a changed destination of [10.*.*.36], where the standard definition for "FTP" is '1:65535 -> 21'.

To allow Active FTP traffic, you need two packet filter rules:

'Any' -> [Port 21] -> [10.*.*.36] : 'Allow'
[10.*.*.36] -> [Port 20] -> 'Any' : 'Allow'

You don't need the first rule if you select 'Automatic packet filter rule' in the DNAT definition.

Cheers - Bob

Eli_DS · #3 (**permalink**) 06-10-2009, 08:05 AM

Hello BAlfson,

Thanks for your swift reply.

The rule you provided indeed worked.
but now i have to use the following addres:
ftp://62.*.*.237

I would like to use FTP://62.*.*.237:15470
Is this also possible ?

BarryG · #4 (**permalink**) 06-10-2009, 08:10 AM

You could DNAT port 15470 to port 21.
Don't forget that FTP uses 2 ports though.

Barry

Eli_DS · #5 (**permalink**) 06-10-2009, 08:54 AM

Hello Barry,

I have tested with the following rules

Packet Filter

# 'Any' -> [Port 21] -> [10.*.*.36] : 'Allow'
# [10.*.*.36] -> [Port 20] -> 'Any' : 'Allow

DNAT

Any => [Port 15470] => Wan: 62.*.*.237

Traffic destination: 10.*.*.36 => [Port: 21]

But this doesn't work...
I can log in to the ftp website but then it just says Website found, Waiting for reply...

so probably the website is not answering back on port 15470 ?

BarryG · #6 (**permalink**) 06-11-2009, 01:38 AM

I'm not sure what 'ftp website' means.

Your DNAT looks OK, but what about the second port (port 20)? Do you have it on another port, and appropriate rules, etc.?

Barry

Eli_DS · #7 (**permalink**) 06-11-2009, 01:07 PM

Barry,

With FTP Website i just mean when I connect to ftp://62.*.*237:15470

for the second port we keep port 20.

Eli_DS · #8 (**permalink**) 06-16-2009, 12:11 PM

Hey all,

After doing some spitting in the logs the following is happening:

13:08:11 Packetfilter rule #4 TCP
WAN IP : 1929
→
DMZ IP : 15470

[SYN] len=48 ttl=117 tos=0x00

13:08:14 Packetfilter rule #4 TCP
WAN IP : 1930
→
DMZ IP : 15470

[SYN] len=48 ttl=117 tos=0x00

13:08:14 Packetfilter rule #4 TCP
WAN IP : 1892
→
DMZ IP : 15470

[ACK PSH] len=46 ttl=117 tos=0x00

These above rules pass when i am trying to acces the ftp server.

The rule is:

Any => DMZ IP
Over port 15470

So apperently on the firewall side everything gets passed, but still there is no response from the ftpserver...

after a minute i get:
The operation timed out...

If any one would be able to tell me what i'm doing wrong, I would be most thankful!