Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 1912 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

cant use ftp

buggs1a
why in the blank does asg block so much when a lot of stuff is SAFE? This really ticks me off. In no way should it block me from using ftp. How stupid!! I don't think i should have to set rules for every little damn thing. then I'd end up with hundreds or thousands of rules.

PF is blocking me from using ftp so i can connect to ftp servers out there.


This thread was automatically locked due to age.
  • 0
    why in the blank does asg block so much when a lot of stuff is SAFE? This really ticks me off. In no way should it block me from using ftp. How stupid!! I don't think i should have to set rules for every little damn thing. then I'd end up with hundreds or thousands of rules.

    PF is blocking me from using ftp so i can connect to ftp servers out there.


    Can u please  check/send log 
    screen shots


    Thanks
  • 0 in reply to utm_kid
    It's the 84 ip one. that is the ftp being blocked. I try to connect to ftp.livedrive.com and it is blocked. 84.45.62.203

    2009:07:01-00:43:44 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN" 
    2009:07:01-00:43:45 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN" 
    2009:07:01-00:43:46 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN" 
    2009:07:01-00:43:47 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN" 
    2009:07:01-00:43:48 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN" 
    2009:07:01-00:43:49 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN" 
    2009:07:01-00:43:51 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN" 
    2009:07:01-00:43:55 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN" 
    2009:07:01-00:44:03 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49398" dstport="21" tcpflags="SYN" 
    2009:07:01-00:44:16 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth0" outitf="eth0" dstmac="00:01:02:71:e8:f2" srcmac="00:00:00:00:00:00" srcip="73.98.106.1" dstip="224.0.0.1" proto="2" length="28" tos="0x00" prec="0xc0" ttl="1" 
    2009:07:01-00:44:20 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN" 
    2009:07:01-00:44:21 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN" 
    2009:07:01-00:44:22 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN" 
    2009:07:01-00:44:23 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN" 
    2009:07:01-00:44:24 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN" 
    2009:07:01-00:44:25 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN" 
    2009:07:01-00:44:27 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN" 
    2009:07:01-00:44:31 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49411" dstport="21" tcpflags="SYN" 
    2009:07:01-00:44:47 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="17.151.16.20" proto="17" length="76" tos="0x00" prec="0x00" ttl="63" srcport="123" dstport="123" 
    2009:07:01-00:45:16 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth0" outitf="eth0" dstmac="00:01:02:71:e8:f2" srcmac="00:00:00:00:00:00" srcip="73.98.106.1" dstip="224.0.0.1" proto="2" length="28" tos="0x00" prec="0xc0" ttl="1" 
    2009:07:01-00:45:21 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49417" dstport="21" tcpflags="SYN" 
    2009:07:01-00:45:22 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49417" dstport="21" tcpflags="SYN" 
    2009:07:01-00:45:23 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="49417" dstport="21" tcpflags="SYN" 
    2009:07:01-00:45:24 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49417" dstport="21" tcpflags="SYN" 
    2009:07:01-00:45:25 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:40:f4:58:9c:a7" srcmac="00:01:02:71:e8:f2" srcip="192.168.1.254" dstip="84.45.62.203" proto="6" length="48" tos="0x00" prec="0x00" ttl="63" srcport="49417" dstport="21" tcpflags="SYN" 
    2009:07:01-00:45:26 joe ulogd[3251]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwru
  • +1 in reply to buggs1a
    hi buggs,

    Astaro stops everything by default, which is intended vs having to read documentation and/or remove configuration in order to close holes opened at the factory by a "default" policy. Since our policy is to log and drop everything, this is expected here.

    if you'd like a global outgoing allow policy so you dont have to open "outgoing" ports, just do

    source: internal network destination:any service: any action: allow in the packetfilter and place it at the top. 

    Anytime you see the rule number 60,000+ its the default rule doing the drop (meaning the traffic has passed through every rule on the table and ended up not being matched, so it falls under the default behaviour). This default rule is not visible on the rules list.
  • 0 in reply to AngeloC

    Anytime you see the rule number 60,000+ its the default rule doing the drop (meaning the traffic has passed through every rule on the table and ended up not being matched, so it falls under the default behaviour). This default rule is not visible on the rules list.


    Thanks for that AngeloC, It will help a lot in future troubleshooting
  • 0 in reply to wingman
    Yes totally! Thank you so much. I do agree with being more secure making us opt in and allow stuff. I am used to other routers and appliances that by default allow lan to wan everything like you suggested I could make a rule for. I prefer that since I'm not needing that explicit security.
  • 0 in reply to buggs1a
    buggs1a, Astaro is a higher end security product.

    It should not really be implemented unless you have a clear understanding of how to use it as you could compromise the security of your network.
    (Same goes for any firewall setup to be honest).

    If you read the FAQs and manuals, or search these forums you should get answers to just about any setup question.  (Or even try the online help).

    If you are just protecting a small home LAN, maybe just use your routers firewall.
  • 0 in reply to Simon Shaw
    Anytime. Happy to help out. Enjoy using Astaro, it can do a lot for you. If you get stuck, let us know.
  • 0 in reply to Simon Shaw
    Simon, I know all that except it's hard to find how tos and examples. That is not available for most anything I wanna do in ways I can understand which means do this step 1 then step 2 etc.

    The problem with using s home router for a home network is thst it offers no security like the better ones do. No AV and bandwidth counting etc. 
    Plus i like to learn.
  • 0 in reply to buggs1a
    The more-secure way to use FTP is by enabling the FTP proxy in the Astaro.

    Go to 'Web Security >> FTP'
    On the 'Global' tab, 
    - [Enable] the proxy, 
    - choose the "Transparent" mode and 
    - click the folder to drag 'Internal (Network)' into 'Allowed networks'.  
    -Click [Apply].

    On the 'Advanced' tab, in  the 'FTP Servers' section, 
    -click on the folder and 
    -drag 'Any' into the box for 'Allowed servers'.  
    -Click [Apply].

    Now you should have to trouble with FTP.

    When you turn on the FTP Proxy, the Astaro automatically creates the packet filter rules that you need for FTP.  The same thing is done in many places in the Astaro.  I believe each of the proxies manages its own packet filter rules.

    There are some places where you can choose to create your own packet filter rules.  This includes VPNs and NAT rules. That requires you to unclick a box for 'Automatic packet filter rules' that you find there.

    Cheers - Bob