Community discussions

MikroTik App
  4. RouterOS
  5. General

FTP firewall rule not working

Post Reply
 
in4ni
Member Candidate
Member Candidate
Topic Author
Posts: 191
Joined: Thu Dec 09, 2004 4:22 am
Location: Jax, Fl USA

FTP firewall rule not working

Fri Apr 20, 2007 7:09 pm

i am using RB532 as a broadband router and i am kinda doing my firewall ruls in reverse order by dropping everything and allowing just the services i want. all my rules work great except my allow FTP rule. seems like the firewall is allowing port 21 but not 20.

Any suggestions

Thank you


#
/ ip firewall filter
add chain=input protocol=tcp dst-port=8291 action=accept comment="" \
disabled=no
add chain=input protocol=tcp dst-port=3389-3390 action=accept comment="" \
disabled=no
add chain=input protocol=tcp action=drop comment="" disabled=no
add chain=forward src-address-list="no internet" action=drop comment="Drop \
internet access \(see list\)" disabled=no
add chain=forward connection-state=established action=accept comment="Accept \
Established Connections" disabled=no
add chain=forward connection-state=invalid action=drop comment="Drop invaled \
connections" disabled=no
add chain=forward protocol=tcp dst-port=20-21 action=accept comment="Allow \
FTP" disabled=no
add chain=forward protocol=tcp dst-port=80 action=accept comment="Allow Http" \
disabled=no
add chain=forward protocol=tcp dst-port=443 action=accept comment="Allow \
HTTPS" disabled=no
add chain=forward protocol=tcp dst-port=110 action=accept comment="Allow \
POP3" disabled=no
add chain=forward protocol=udp dst-port=123 action=accept comment="Allow NTP" \
disabled=no
add chain=forward protocol=tcp dst-port=25 action=accept comment="Allow SMTP" \
disabled=no
add chain=forward protocol=udp dst-port=53 action=accept comment="Allow DNS" \
disabled=no
add chain=forward protocol=tcp dst-port=23 action=accept comment="Allow \
Telnet" disabled=no
add chain=forward protocol=tcp dst-port=3389-3390 action=accept \
comment="Allow RDP" disabled=no
add chain=forward protocol=icmp action=accept comment="Allow Ping out" \
disabled=no
add chain=forward action=drop comment="Drop Everything else" disabled=no
[admin@edgerouter] ip firewall filter>
Top
 
in4ni
Member Candidate
Member Candidate
Topic Author
Posts: 191
Joined: Thu Dec 09, 2004 4:22 am
Location: Jax, Fl USA

Thu Apr 26, 2007 3:56 pm

someone please chime in. This little problem is annoying
Top
 
sroa
just joined
Posts: 14
Joined: Mon Dec 19, 2005 10:09 pm
Location: Puebla Mexico
Contact:
Contact sroa

Thu Apr 26, 2007 8:13 pm

Did you try writing one rule for port 20 and another rule for port 21?
Top
 
in4ni
Member Candidate
Member Candidate
Topic Author
Posts: 191
Joined: Thu Dec 09, 2004 4:22 am
Location: Jax, Fl USA

Thu Apr 26, 2007 8:24 pm

yes, i did try seperate rules to no avail. Thank you for the reply

are both ports 20 and 21 TCP ports ?



Thank you
Top
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 700
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Thu Apr 26, 2007 9:28 pm

Turn on the FTP helper in Firewall - Service Ports.

Add a rule to allow Related packets in the Forward chain.

Remember that FTP has two modes: normal & passive which manage their data channel in completely different ways.

Once you have this working I suggest you re-visit your Forward chain and specify an input interface for each rule to distinguish between inbound and outbound traffic. Also, specify 'New connection' for each rule.

Regards

Andrew
Top
 
in4ni
Member Candidate
Member Candidate
Topic Author
Posts: 191
Joined: Thu Dec 09, 2004 4:22 am
Location: Jax, Fl USA

Thu Apr 26, 2007 9:53 pm

allow related connections did it!!


Thank you
Top
Post Reply
  4. RouterOS
  5. General