Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 19124 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't get passive FTP to work.

FrankChu

I have two business rules defined.  One to forward port 21 to my server and another to forward the range of passive ports that my FTP server will use in passive mode:

Firewall rule #5 seems to be working as I can get to the ftp in active mode.  However, when I switch over to pasv mode, the connection times out while waiting on a response back from the server. 

The security logs show that the PASV response from the server back to my client was denied by rule #5 as being "invalid traffic"  with a message id of 01001.

I have no IPS profiles set for rule #5 so I'm not really sure why it's blocking it and I have found no description to what "invalid traffic" means. 

A couple of other details. the IP address is an alias of my main WAN address: 

I also did a drop-packet-capture via the console and this is what I got back:

2016-07-10 12:37:24 0102021 IP 216.30.182.253.21 > 10.0.0.13.61047 : proto TCP: P 1544974664:1544974
715(51) win 256 checksum : 26611                                                                    
0x0000:  4500 005b 07ba 0000 7f06 9aba d81e b6fd  E..[............                                  
0x0010:  0a00 000d 0015 ee77 5c16 7148 8b70 c28a  .......w\.qH.p..                                  
0x0020:  5018 0100 67f3 0000 3232 3720 456e 7465  P...g...227.Ente                                  
0x0030:  7269 6e67 2050 6173 7369 7665 204d 6f64  ring.Passive.Mod                                  
0x0040:  6520 2832 3136 2c33 302c 3138 322c 3235  e.(216,30,182,25                                  
0x0050:  332c 3137 2c31 3038 290d 0a              3,17,108)..                                       
Date=2016-07-10 Time=12:37:24 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev= inzone_id=1 outzone_id=4
 source_mac= dest_mac= l3_protocol=IP source_ip=216.30.182.253 dest_ip=10.0.0.13 l4_protocol=TCP sou
rce_port=21 dest_port=61047 fw_rule_id=5 policytype=3 live_userid=0 userid=0 user_gp=0 ips_id=1 sslv
pn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=5 category_i
d=5 bandwidth_id=0 up_classid=3833462902447144960 dn_classid=0 source_nat_id=0 cluster_node=2 inmark
=0 nfqueue=0 scanflags=100 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=8 master
id=2611580576 status=0 state=446 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_
ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A   

Any ideas as to what is wrong?

Thanks

Save



This thread was automatically locked due to age.
Parents
  • 0

    Hi Frank,

    If you have an additional IP address provided by ISP, configure an alias on the existing WAN interface. Please refer https://community.sophos.com/kb/en-US/123095.

    Next, forward all the ports on the additional IP address and have Masquerading OFF in the business rule. As you are configuring passive FTP, forwarding all the ports will come handy.

    NOTE: Do not forward all the ports on the default WAN IP address, it can result in losing the device access.

    Thanks

  • 0 in reply to sachingurung

    Hi,


    I already have the alias defined and it works, so that's not an issue. 


    I have 2 business rules, one to forward port 21 and the other to forward just the ports I will be using for passive connections.   If I turn off MASQ in the port 21 rule, then I can no longer get a FTP connection. 


    I created a new rule (and disabled the other 2) and forwarded all ports with MASQ off.  No connect to the ftp server.    If I turn MASQ on, I get the same problem as before.  I can connect to the server but passive mode does not work.

    Thanks

Reply
  • 0 in reply to sachingurung

    Hi,


    I already have the alias defined and it works, so that's not an issue. 


    I have 2 business rules, one to forward port 21 and the other to forward just the ports I will be using for passive connections.   If I turn off MASQ in the port 21 rule, then I can no longer get a FTP connection. 


    I created a new rule (and disabled the other 2) and forwarded all ports with MASQ off.  No connect to the ftp server.    If I turn MASQ on, I get the same problem as before.  I can connect to the server but passive mode does not work.

    Thanks

Children
  • 0 in reply to FrankChu

    Well, I think I solved my problem.  My FTP server is setup to broadcast it's public IP address as a response to the PASV command.   That looks like it may have caused the firewall to think it was a spoof attack and dropped the package.  So I changed the server to broadcast it's private IP address and that seems to have gotten things to place nice with the firewall and MASQ.