Issue with NAT and Passive FTP

Hi, any ideas?

You need to look at your mapped ports, you cont have any. Do a search of the forums on how to setup a business rule.

Ian

You are right, I see some traffic, but not as I expected. I followed this KB for to create a NAT Business rule: https://community.sophos.com/kb/en-us/122976 

I attach here some screenshots. I made a connection test at 17:01.

• My laptop's public IP is .195.23
• FTP server's public IP is .25.111
• FTP server's local address is .19
• 192. is the WAN's port address
• The rule I created is number 10

Setting FTP server's public IP in the filter as Source or Destination does not show anything pertinent (just other traffic).

Setting FTP server's local IP as Destination does not show anything.

Here is the output with the FTP server's local IP as Source:

I set my laptop's IP as Source, and this is the output.

I have the same output if I set port 9021 as Dst port (no other filters).

Instead, if I set port 9021 as Source port, I found this issue:

FTP-bounce attack? I set port 9021 as FTP port with the console command, shouldn't it avoid it?

About the "Could not associate..." alarms it could be because I dropped the connection by the client (killed FileZilla), and I read on the Community that they are not relevant... correct?

What do you suggest about the FTP-bounce attack alarm?

Thanks

The Mapped Port is always empty, if you uses multiple Ports / services in one DNAT Rule. This is normal. 

I am pretty sure, the Invalid Traffic - "Could not associate..." Traffic is just dropped traffic, so no Root Cause of your issue. 

First of all, i am not quite sure, if the DNAT Rule supports passive FTP... XG handles FTP via Proxy. So in normal firewall policies, you can check "Scan FTP for malware". But you cannot do it in DNAT rules. I am not sure, if this will work at all. 

You should perform some kind of tcpdump and check, what is going on. 

community.sophos.com/.../how-to-tcpdump-on-xg

Or you should think about an alternative via VPN + FTP Proxy :) 

Can you check your firewall rule with ID 10? Is there something with IPS enabled? Otherwise it shouldn't block the traffic. And what about these advanced-firewall ftpbounce-prevention options? There is control and data. Can you switch these on and off for testing? 

Regards,

Andreas

Hi, thank you for your reply!

I troubleshooted a lot with tcpdump and I noticed that FTP connection on port 9021 works fine, and also "cd" and "pwd" commands work (with "quote PASV" on CentOS FTP server I see the passive port "starts listening"). I simplified the configuration with just one passive port (40000).

The issue is on the passive FTP port: on XG, with tcpdump I see NO traffic on port 40000, on ANY interface (the command I launched is: tcpdump -i any -n -X 'tcp port 40000').

When I use the command "ls" or "get" on ftp command line (now I'm trying with single commands, not with FileZilla), I get the error "ftp: connect: Connection refused".

This is the output when I try "ls" command:

SFVH_SO01_SFOS 17.5.0 GA# tcpdump -i any -n -X 'tcp port 40000' or 'tcp port 9021'
tcpdump: Starting Packet Dump
16:32:22.090173 Port2, IN: IP *CLIENT_PUB_IP*.33476 > *WAN_IP*.9021: Flags [P.], ack 17198511, win 229, options [nop,nop,TS val 2437851120 ecr 883035613], length 6
0x0000: 4500 003a 0049 4000 3806 bb8f 0224 c317 E..:.I@.8....$..
0x0010: c0a8 0102 82c4 233d 5c61 9602 0106 6daf ......#=\a....m.
0x0020: 8018 00e5 bb69 0000 0101 080a 914e a7f0 .....i.......N..
0x0030: 34a2 0ddd 5041 5356 0d0a 4...PASV..
16:32:22.090308 Port1, OUT: IP *CLIENT_PUB_IP*.33476 > *FTP_LOCAL_IP*.9021: Flags [P.], ack 17198511, win 229, options [nop,nop,TS val 2437851120 ecr 883035613], length 6
0x0000: 4500 003a 0049 4000 3706 bd7e 0224 c317 E..:.I@.7..~.$..
0x0010: c0a8 0013 82c4 233d 5c61 9602 0106 6daf ......#=\a....m.
0x0020: 8018 00e5 bc58 0000 0101 080a 914e a7f0 .....X.......N..
0x0030: 34a2 0ddd 5041 5356 0d0a 4...PASV..
16:32:22.090957 Port1, IN: IP *FTP_LOCAL_IP*.9021 > *CLIENT_PUB_IP*.33476: Flags [P.], ack 6, win 227, options [nop,nop,TS val 883085426 ecr 2437851120], length 51
0x0000: 4500 0067 df5f 4000 4006 d53a c0a8 0013 E..g._@.@..:....
0x0010: 0224 c317 233d 82c4 0106 6daf 5c61 9608 .$..#=....m.\a..
0x0020: 8018 00e3 fda4 0000 0101 080a 34a2 d072 ............4..r
0x0030: 914e a7f0 3232 3720 456e 7465 7269 6e67 .N..227.Entering
0x0040: 2050 6173 7369 7665 204d 6f64 .Passive.Mod
16:32:22.091068 Port2, OUT: IP *WAN_IP*.9021 > *CLIENT_PUB_IP*.33476: Flags [P.], ack 6, win 227, options [nop,nop,TS val 883085426 ecr 2437851120], length 51
0x0000: 4500 0067 df5f 4000 3f06 d54b c0a8 0102 E..g._@.?..K....
0x0010: 0224 c317 233d 82c4 0106 6daf 5c61 9608 .$..#=....m.\a..
0x0020: 8018 00e3 fcb5 0000 0101 080a 34a2 d072 ............4..r
0x0030: 914e a7f0 3232 3720 456e 7465 7269 6e67 .N..227.Entering
0x0040: 2050 6173 7369 7665 204d 6f64 .Passive.Mod
16:32:22.125108 Port2, IN: IP *CLIENT_PUB_IP*.33476 > *WAN_IP*.9021: Flags [.], ack 52, win 229, options [nop,nop,TS val 2437851154 ecr 883085426], length 0
0x0000: 4500 0034 004a 4000 3806 bb94 0224 c317 E..4.J@.8....$..
0x0010: c0a8 0102 82c4 233d 5c61 9608 0106 6de2 ......#=\a....m.
0x0020: 8010 00e5 a928 0000 0101 080a 914e a812 .....(.......N..
0x0030: 34a2 d072 4..r
16:32:22.125213 Port1, OUT: IP *CLIENT_PUB_IP*.33476 > *FTP_LOCAL_IP*.9021: Flags [.], ack 52, win 229, options [nop,nop,TS val 2437851154 ecr 883085426], length 0
0x0000: 4500 0034 004a 4000 3706 bd83 0224 c317 E..4.J@.7....$..
0x0010: c0a8 0013 82c4 233d 5c61 9608 0106 6de2 ......#=\a....m.
0x0020: 8010 00e5 aa17 0000 0101 080a 914e a812 .............N..
0x0030: 34a2 d072 4..r

I also tried to create "one big rule" with one service for all the ports (9021+40000) like suggested here:

The result is the same... in conclusion it seems that XG does not receive packets on the passive port. 

Also, I always see the "FTP-bounce attack message":

Do you have any suggestions?

Thanks

Hi Andreas,

Business Rule ID 10 (also 11) has "None" in "Intrusion prevention" menu, so I don't think it's related.

ftpbounce is set to "data". If I switch to "control", the ftp command "ls" hangs and I have to quit the prompt with CTRL+C.

I also tried to add port 40000 in "service-param FTP", or using Refexive rules, but it does not change.

Important (I think so): I also tried with a FileZilla Server on Windows instead of vsftpd, and the behaviour is the same. This is because I'd point the finger on XG.

Hi Andreas,

Business Rule ID 10 (also 11) has "None" in "Intrusion prevention" menu, so I don't think it's related.

ftpbounce is set to "data". If I switch to "control", the ftp command "ls" hangs and I have to quit the prompt with CTRL+C.

I also tried to add port 40000 in "service-param FTP", or using Refexive rules, but it does not change.

Important (I think so): I also tried with a FileZilla Server on Windows instead of vsftpd, and the behaviour is the same. This is because I'd point the finger on XG.

Hi scaglio,

have you looked at this post?

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/97757/ftp-passive-mode

does this help?

Hi Argo,

yes, I mentioned it in the previous post when I said about the "one big rule with one service". No luck with that.

I have the suspect that the company's ISP is blocking by default some high ports, so connection to port 40000 can't arrive to XG firewall. I asked them to verify, I'll keep you updated.

Hi all, The root cause if the issue was... the ISP, which had the passive high ports closed.

Now they've been opened and XG rule is the same (number 11) I posted a few days ago, with one service and several ports (connection + data). Works fine!

Thank you for yor suggestions!