Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 9944 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue with NAT and Passive FTP

scaglio

Hi all,

I have to create a rule that permits to reach an internal FTP server from the WAN. I read all the topics I could find here on the Community, but couldn't make it work.

Here's the situation.

The internal FTP server is a CentOS7 server that runs VSFTPD. This is the configuration:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
ascii_upload_enable=YES
ascii_download_enable=YES
listen=YES
listen_ipv6=NO
dual_log_enable=YES
log_ftp_protocol=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=NO
use_localtime=YES

pasv_address=<my_public_address>
pasv_enable=YES
pasv_min_port=50000
pasv_max_port=50010

listen_port=9021

As you can see, the non-standard port 9021 is used. Also, I assigned ports 50000-50010 for passive FTP connections.

I created the following rule at the top, called "SFTPE9021" (see screenshots below):

Finally, on XG console, I set:

set service-param FTP add port 9021

set advanced-firewall ftpbounce-prevention data 

 

When I try to connect via FTP from a client, I receive the following messages (FileZilla):

Status: Connecting to <my_public_address>:9021...
Status: Connection established, waiting for welcome message...
Response: 220 (vsFTPd 3.0.2)
Command: USER <my_user>
Response: 331 Please specify the password.
Command: PASS **********
Response: 230 Login successful.
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/home/<my_user>"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (xx,xx,xx,xx,195,82).   #I removed the IP

Command: LIST
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server
Error: Connection timed out after 20 seconds of inactivity

 

 

With TCPDUMP on the FTP server I can see traffic on port 9021, but none on the 50000-50010.

Also, on XG logs, I see traffic only towards my WAN address (Port2), but none on the FTP server's addresses (public or private). Nothing useful neither on Linux logs on the FTP server.

I think that XG is the problem because setting a local address in the pasv_address parameter in the VSFTPD configuration file, the Passive FTP works fine from inside the LAN.

Do you have any ideas?

Thank you very much!

 

P.S.

I know that plain FTP is non-secure and other protocols should be used, but it is a request for very old legacy machines... you know the story :)

 

EDIT: I forgot: I use XG v17.5.0 GA.



This thread was automatically locked due to age.
Parents
  • 0 in reply to scaglio

    You need to look at your mapped ports, you cont have any. Do a search of the forums on how to setup a business rule.

    Ian

  • 0 in reply to rfcat_vk

    You are right, I see some traffic, but not as I expected. I followed this KB for to create a NAT Business rule: https://community.sophos.com/kb/en-us/122976 

    I attach here some screenshots. I made a connection test at 17:01.

    • My laptop's public IP is .195.23
    • FTP server's public IP is .25.111
    • FTP server's local address is .19
    • 192. is the WAN's port address
    • The rule I created is number 10

    Setting FTP server's public IP in the filter as Source or Destination does not show anything pertinent (just other traffic).

    Setting FTP server's local IP as Destination does not show anything.

    Here is the output with the FTP server's local IP as Source:

    I set my laptop's IP as Source, and this is the output.

    I have the same output if I set port 9021 as Dst port (no other filters).

    Instead, if I set port 9021 as Source port, I found this issue:

    FTP-bounce attack? I set port 9021 as FTP port with the console command, shouldn't it avoid it?

    About the "Could not associate..." alarms it could be because I dropped the connection by the client (killed FileZilla), and I read on the Community that they are not relevant... correct?

     

    What do you suggest about the FTP-bounce attack alarm?

     

    Thanks

     

     

  • 0 in reply to scaglio

    The Mapped Port is always empty, if you uses multiple Ports / services in one DNAT Rule. This is normal. 

     

    I am pretty sure, the Invalid Traffic - "Could not associate..." Traffic is just dropped traffic, so no Root Cause of your issue. 

     

    First of all, i am not quite sure, if the DNAT Rule supports passive FTP... XG handles FTP via Proxy. So in normal firewall policies, you can check "Scan FTP for malware". But you cannot do it in DNAT rules. I am not sure, if this will work at all. 

    You should perform some kind of tcpdump and check, what is going on. 

    community.sophos.com/.../how-to-tcpdump-on-xg

    Or you should think about an alternative via VPN + FTP Proxy :) 

Reply
  • 0 in reply to scaglio

    The Mapped Port is always empty, if you uses multiple Ports / services in one DNAT Rule. This is normal. 

     

    I am pretty sure, the Invalid Traffic - "Could not associate..." Traffic is just dropped traffic, so no Root Cause of your issue. 

     

    First of all, i am not quite sure, if the DNAT Rule supports passive FTP... XG handles FTP via Proxy. So in normal firewall policies, you can check "Scan FTP for malware". But you cannot do it in DNAT rules. I am not sure, if this will work at all. 

    You should perform some kind of tcpdump and check, what is going on. 

    community.sophos.com/.../how-to-tcpdump-on-xg

    Or you should think about an alternative via VPN + FTP Proxy :) 

Children
  • 0 in reply to LuCar Toni

    Hi, thank you for your reply!

    I troubleshooted a lot with tcpdump and I noticed that FTP connection on port 9021 works fine, and also "cd" and "pwd" commands work (with "quote PASV" on CentOS FTP server I see the passive port "starts listening"). I simplified the configuration with just one passive port (40000).

    The issue is on the passive FTP port: on XG, with tcpdump I see NO traffic on port 40000, on ANY interface (the command I launched is: tcpdump -i any -n -X 'tcp port 40000').

    When I use the command "ls" or "get" on ftp command line (now I'm trying with single commands, not with FileZilla), I get the error "ftp: connect: Connection refused".

    This is the output when I try "ls" command:

    SFVH_SO01_SFOS 17.5.0 GA# tcpdump -i any -n -X 'tcp port 40000' or 'tcp port 9021'
    tcpdump: Starting Packet Dump
    16:32:22.090173 Port2, IN: IP *CLIENT_PUB_IP*.33476 > *WAN_IP*.9021: Flags [P.], ack 17198511, win 229, options [nop,nop,TS val 2437851120 ecr 883035613], length 6
    0x0000: 4500 003a 0049 4000 3806 bb8f 0224 c317 E..:.I@.8....$..
    0x0010: c0a8 0102 82c4 233d 5c61 9602 0106 6daf ......#=\a....m.
    0x0020: 8018 00e5 bb69 0000 0101 080a 914e a7f0 .....i.......N..
    0x0030: 34a2 0ddd 5041 5356 0d0a 4...PASV..
    16:32:22.090308 Port1, OUT: IP *CLIENT_PUB_IP*.33476 > *FTP_LOCAL_IP*.9021: Flags [P.], ack 17198511, win 229, options [nop,nop,TS val 2437851120 ecr 883035613], length 6
    0x0000: 4500 003a 0049 4000 3706 bd7e 0224 c317 E..:.I@.7..~.$..
    0x0010: c0a8 0013 82c4 233d 5c61 9602 0106 6daf ......#=\a....m.
    0x0020: 8018 00e5 bc58 0000 0101 080a 914e a7f0 .....X.......N..
    0x0030: 34a2 0ddd 5041 5356 0d0a 4...PASV..
    16:32:22.090957 Port1, IN: IP *FTP_LOCAL_IP*.9021 > *CLIENT_PUB_IP*.33476: Flags [P.], ack 6, win 227, options [nop,nop,TS val 883085426 ecr 2437851120], length 51
    0x0000: 4500 0067 df5f 4000 4006 d53a c0a8 0013 E..g._@.@..:....
    0x0010: 0224 c317 233d 82c4 0106 6daf 5c61 9608 .$..#=....m.\a..
    0x0020: 8018 00e3 fda4 0000 0101 080a 34a2 d072 ............4..r
    0x0030: 914e a7f0 3232 3720 456e 7465 7269 6e67 .N..227.Entering
    0x0040: 2050 6173 7369 7665 204d 6f64 .Passive.Mod
    16:32:22.091068 Port2, OUT: IP *WAN_IP*.9021 > *CLIENT_PUB_IP*.33476: Flags [P.], ack 6, win 227, options [nop,nop,TS val 883085426 ecr 2437851120], length 51
    0x0000: 4500 0067 df5f 4000 3f06 d54b c0a8 0102 E..g._@.?..K....
    0x0010: 0224 c317 233d 82c4 0106 6daf 5c61 9608 .$..#=....m.\a..
    0x0020: 8018 00e3 fcb5 0000 0101 080a 34a2 d072 ............4..r
    0x0030: 914e a7f0 3232 3720 456e 7465 7269 6e67 .N..227.Entering
    0x0040: 2050 6173 7369 7665 204d 6f64 .Passive.Mod
    16:32:22.125108 Port2, IN: IP *CLIENT_PUB_IP*.33476 > *WAN_IP*.9021: Flags [.], ack 52, win 229, options [nop,nop,TS val 2437851154 ecr 883085426], length 0
    0x0000: 4500 0034 004a 4000 3806 bb94 0224 c317 E..4.J@.8....$..
    0x0010: c0a8 0102 82c4 233d 5c61 9608 0106 6de2 ......#=\a....m.
    0x0020: 8010 00e5 a928 0000 0101 080a 914e a812 .....(.......N..
    0x0030: 34a2 d072 4..r
    16:32:22.125213 Port1, OUT: IP *CLIENT_PUB_IP*.33476 > *FTP_LOCAL_IP*.9021: Flags [.], ack 52, win 229, options [nop,nop,TS val 2437851154 ecr 883085426], length 0
    0x0000: 4500 0034 004a 4000 3706 bd83 0224 c317 E..4.J@.7....$..
    0x0010: c0a8 0013 82c4 233d 5c61 9608 0106 6de2 ......#=\a....m.
    0x0020: 8010 00e5 aa17 0000 0101 080a 914e a812 .............N..
    0x0030: 34a2 d072 4..r

    I also tried to create "one big rule" with one service for all the ports (9021+40000) like suggested here:

    The result is the same... in conclusion it seems that XG does not receive packets on the passive port. 

    Also, I always see the "FTP-bounce attack message":

    Do you have any suggestions?

    Thanks