Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 29 subscribers
  • Views 12096 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allowing FTP inbound through firewall

Lee Precision

Hello,

I'm working with a company that manages our timeclocks. (badge based system...not important.) What is important, is that in order for the clocks to do a firmware update, supposedly, the company makes an ftp connection to the clocks. Like, wan -> lan, tcp 21 -> 1:65535. Which is essentially how I have it configured.

Src : Zone -> WAN, Networks->Their IP address

Dest: Zone->LAN,Networks->Ip range of timeclocks

Services: TCP&UDP 1:65535->21:22,TCP&UDP 21:22->1:65535

Not matching users.

No web malware / content scanning boxes checked.

IP: WAN TO LAN

No traffic shaping, Web Policy->Allow All, Application Control->Allow All

Using standard MASQ

 

Firewall log picks up the traffic, but says it cannot associate packet to an connection, which I don't know what to do with.

The log entry matches my rule entry exactly, yet, still doesn't allow it through.

----------------Ex.---------------

time                  log type         Action  in interface  src ip          dest ip      src port  dest port  protocol  message

2019-06-06 10:31:34   Invalid Traffic  Denied  Port2         **Company IP**  **My GatewayIP**  21   40289      TCP       Could not associate packet to any

---------------------------------

 

Any help would be very much appreciated.

 

Regards,

Dan



This thread was automatically locked due to age.
Parents
  • 0

    Additionally, I put a computer on the same rules as the time clocks and I am able make an outbound ftp connection to the required IP address.

    Regards,

    Dan.

    Lee Precision, Inc.

    Systems Administrator, Web and Software developer.

  • 0 in reply to Lee Precision

    FTP is kinda tricky.

    Most likely you are using FTP passive, right? 

    https://slacksite.com/other/ftp.html

    So you are basically allowing the control traffic with Port 21 and Port 22.

    But you are missing the high port. XG has a FTP helper, but it is bundled with the FTP Proxy. ( Correct me, if i am wrong). 

    So you would need to figure out, which ports are also needed in your FTP solution.

    This is possible via TCPdump. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hey LuCar,

     

    That article was helpful, and allowed me to clean up my firewall rule a bit, but I'm still not sure.

    First, I have never seen a ftp server reaching out, unsolicited, to make a connection. Have you? (when considering the article, such a connection doesn't even exist.)

    Secondly, a "technical" representative from this company said all I had to do was open port 21 to their IP address for an ftp connection...but that doesn't make any sense to me. Of course the firewall doesn't know what to do with the traffic, it is just random inbound traffic.

    Would some kind of port forwarding/trigger make sense? Like, incoming traffic on port 21 -> Timeclock IP's?

    I've asked the representative for more information on their ftp servers configuration. I don't think that there is much more that I can do in the meantime.

    Lastly, what is the FTP helper/proxy that you have mentioned? Is it a cli only feature or can it be found on the gui side too?

    Regards,

    Dan

    Regards,

    Dan.

    Lee Precision, Inc.

    Systems Administrator, Web and Software developer.

  • 0 in reply to Lee Precision

    FTP Helper /  FTP Proxy is for making outbound FTP connections, and one of its main purposes it to do AV scanning.

     

    You are doing inbound.  The firewall has an incoming FTP connection that specifies the firewall itself as the destination.  It doesn't know what to do with it or where to forward it.  This is much like having web servers hosted in your network and using Web server protection / WAF.

    In the firewall you need to create a "Business Application Rule" not a "User/network Rule".  But after that, I don't know.  A DNAT rule?

Reply
  • 0 in reply to Lee Precision

    FTP Helper /  FTP Proxy is for making outbound FTP connections, and one of its main purposes it to do AV scanning.

     

    You are doing inbound.  The firewall has an incoming FTP connection that specifies the firewall itself as the destination.  It doesn't know what to do with it or where to forward it.  This is much like having web servers hosted in your network and using Web server protection / WAF.

    In the firewall you need to create a "Business Application Rule" not a "User/network Rule".  But after that, I don't know.  A DNAT rule?

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?