I have a FTP server located on my DMZ Network. The server is listening on a “non-standard” ftp port. It listens on port : 2121.
To generate my firewall config I use FwBuilder. I’ve tried many configurations but, I never get the data port to open( e.g. to list a directory)
In my configuration I’ve allowed, and NAT’ed the following services to my FTP server located on the DMZ :
FTP = TCP Destination Port : Start : 2121 – End : 2121 FTP_DATA = TCP Source Port : Start : 20 – End : 20 Destination : Start : 1024 – End : 65535
I can connect, but cannot list the directories.
p.s. I’m running Proftpd on my FTP server. I have also tried to configure the “PassivePorts= 60000 65534” to configure a group of the passive ports. But it’s the same issue with the directory listening.
Without having a look into your actual rules (or relevant part of it), it is hard to tell what is wrong. Neiter me (nor most people here) can't guess what would be the rules generated by FwBuilder. Give us actual rules, somebody might spot what is wrong, and than you can try to get FwBuiler to generate correct rules.
My guesses would be that you either:
a) did not load ip_nat_ftp module (it doesn't get loaded automatically)
b) failed to specify that your FTP server is on non-default port (from documentation --m helper --helper ftp-2121, but I haven't tested if this will suffice, maybe you also need to pass port number to module directly).
c) first packet of data connection is going to be in RELATED state (not NEW), if you have ip_nat_ftp loaded (which in turn loads ip_conntrack_ftp).
d) most important of all: passive FTP data transfers do not use port 20. Both ports (source and destination) should be 1024+. This is because connection is from client to server. Port 20 is used by active FTP data transfers (and connection is from server to client).
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
