dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2922

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano to TheJoker

MVM

to TheJoker

Re: Replaced 2WG with USG20W

Enable logging on that specific FTP FW rule and on default rule.

As for admin access, if you don't need it block it completely on firewall. There may be default rule you need to kill.

Here are some tips »Secure your USG - quick how-to

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to TheJoker

Premium Member

to TheJoker
First of all, do NOT kill any default rules. Bad advice.

I believe the port forwarding rule is first.

First thing to do is check if you can access the FTP server from another computer on the LAN, using the LANIP address of the FTP server.

IF so, then you know its a wan to lan FW or PORT forwarding issue more likely.

The next thing to do is go to »www.grc.com/x/ne.dll?bh0bkyd2

shields up and test your connection (common ports) to see which ports are open. If youve done it right your router will fail because port 21 is exposed.

If port 21 is not visible then the router setup is wrong for one reason or another.
Anav

Anav to TheJoker

Premium Member

to TheJoker
Ensure you go into SYSTEM on the router page and ensure FTP is NOT enabled. This if for ftp admin access to the router. I would also change the port to something non standard to ensure no conflict.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker

MVM

Well, I just locked myself out, and neither computer has a COM port for the console cable. Does Reset go back to all default rules?

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Holding down the reset button for 10 secs will revert to default config. After reboot you can still find your previous config in last-good.conf

... get USB-to-Serial adapter

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker

MVM

I also saved the configuration file last night. Time to get a USB to ancient serial port cable.

FYI, what I found with GRC was that 21 was not open. I thought the way i did it was that it was only forwarded for the one IP of my user. With the firewall off, it is open (along with lots of others). With the firewall on, only port 443 was open. That's when I disabled that, and cut myself off.
TheJoker

TheJoker

MVM

Reset, applied Lastgood worked, but it was the factory default. I saved a configuration last night, but it won't load it, error -39001, operation is prohibited. Guess I'll start over.
TheJoker

1 edit

TheJoker

MVM

Found the problem loading a saved configuration file. For what I was trying to fix when I locked myself out, the open port 443 that GRC found (the only open port), since I wouldn't be accessing the device remotely, would this be the correct firewall rule (being careful), or will this lock me out from the LAN also?

From: WAN
To: ZyWALL
Description: Custom Rule Block 443
Schedule: None
User: Any
Source: Any
Destination: Any
Service: HTTPS
Access: Deny
Log: Yes

Edit, that worked, and I didn't manage to lock myself out that time.
TheJoker

TheJoker

MVM

Still having difficulty with my external user. Can't connect to FTP either through port 21, or using PASV on a different port and a port range for PASV (the way I had it configured on the previous 2WG). Same with being able to ping, he can't ping me. I did create services for ping (looked at how it was done with the 2WG), and I can successfully be pinged by another site (GRC), but not from his IP.

To start with the ping first, I created two services:

Name: Custom_ECHO_Reply
IP Protocol: ICMP
ICMP Type: echo reply

Name: Custom_ECHO_Request
IP Protocol: ICMP
ICMP Type: echo

I then created an address object for GRC_Shields_up

Name: GRC_Shields_up
Address Type: HOST
IP Address: 4.79.142.206

And a firewall rule to allow the ping from GRC:

Enable
From: WAN
To: ZyWALL
Description: Test GRC Allow Ping
Schedule: none
User: any
Source: GRC_Shields_up
Destination: any
Service: Custom_ECHO_Request
Access: allow
Log: log

That works just fine, and I can be successfully pinged from GRC. When I create a similar object for the IP of my external user, and a similar rule, it doesn't work, and I can't be pinged. It also doesn't log, even though the rule is to log. Any idea what's wrong?

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

4 edits

Gork

Member

This is how FTP works. First off, server-side FTP uses connections over two ports to transfer data. The first port, the "control port," is used to define a data connection over a separate port (and I believe send FTP commands over as well.) This port is commonly port 21 on the FTP server. The second port, the "data port," is used to actually transfer the file data.

If you use ACTV (non PASV), FTP works by:
FTP server listens on port 21. When client connects on port 21, the FTP server tells the client which data port on the client side it will attempt to make a data connection to. The client should prepare to receive a connection on this data port. The server then sends a data connection request from server side port 20 to this random high numbered port on the client side.

The problem is that if the client is behind a NAT and/or firewall, the firewall will probably block the server's attempt to connect on this random port. Unless the client's firewall has some kind of ALG in place to glean what port the FTP server is going to connect to and opens that port.

PASV mode was set up to "fix" this issue:
FTP server listens on port 21 to establish a connection. The FTP server also has a predefined range of ports it listens on for data connections. (In my experience this has always been definable by the administrator of the FTP server.) When a user connects to port 21, the FTP server lets the client know which port in the predefined range it will be listening on for the data connection and the client connects to the server through that port on the server side to establish the data connection.

So, in order to establish a PASV FTP connection the SERVER'S firewall must set up firewall rules and NAT (if applicable) to allow clients to connect both through port 21 and the predefined port range as well. The number of simultaneous connections to the FTP server is limited (at least in part) to how many ports are defined in the "predefined range." (I only used a range of four ports for my FTP server - it was just for me, family and friends.)

As you can see, FTP ALG is useful on the client side, not the server side. Though not common, I guess it's possible an FTP ALG could be set up on the server side so the firewall could normally block connections through the "predefined range" and only open specific ports when the FTP server needs them. But I have not seen this sort of a thing set up in software or hardware devices. (But when I used to utilize FTP I was using cheap Linksys NAT (only) type firewall devices. I suppose more advanced routers may have server-side FTP ALG programming available for use.) According to Brano See Profile server side FTP ALG does work on the USG series (»Re: Replaced 2WG with USG20W), but I have no experience using server side FTP ALG.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

1 recommendation

Brano

MVM

Active FTP vs. Passive FTP, a Definitive Explanation
»slacksite.com/other/ftp.html

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

4 edits

Gork

Member

Brano See Profile: I just updated my post to indicate acknowledgement for your earlier contribution in this thread regarding this issue.

It seems easy enough to set up, and I assume it would automatically create any necessary fw and NAT rules "on the fly?" However, my suggestion to the op, since he is having trouble, is to manually get FTP working to ensure the process is understood then try switching over to using server side FTP ALG.

ACTV/PASV FTP was the biggest pain for me to learn back when I was first learning about connections and ports. But when I FINALLY figured it out it was truly a "duh'oh moment." But it certainly is a very weird "protocol."

EDIT:
The site you linked, Brano See Profile, is the very site I breezed over to refresh my memory. It is not ZyXEL specific. And I am quite sure that client side FTP ALG is much more common than server-side, if server-side FTP ALG even exists. Without client-side FTP ALG a client behind a NAT device and/or firewall would be blocked from ever initiating any ACTV FTP connection with an FTP server.

The site linked doesn't specifically discuss ALG but does seem to indicate what I have described with regard to ACTV connections:
quote:
The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server--it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client--something that is usually blocked.
Gork

Gork

Member

Continued:

In looking at the GUI on my USG20W it doesn't appear the FTP ALG section is anything different than what I've seen before; it appears to be for client side connections from behind the USG to an ACTV FTP server on the WAN side. So unless there's something else built into the USG to handle server side "FTP ALG" and/or another related page on the GUI for the USG besides Configuration -> Network -> ALG it appears to me the FTP ALG in the USG is for clients behind the USG, not for servers behind the USG. (I guess there's a third option, that I may be confused about something related to the USG itself. I'm certainly not in the same league as others in this forum.)

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

I use FTP behind the zywall with no issues following Branos advice.

If dydns is setup properly (associated with the WANIP of the op)
If the port forwarding rule allows access to all to the PC serving the FTP
If the firewall rule allows access to (all or specific WANIP or range of WANIPs) to the pc serving the FTP.

Then it should work.

+++++++++++++++++++++

Right now I fail the grc test because 443 is exposed but it does note that the port is closed.

Under System for Admin control
I have a non standard port selected, I do not redirect http to https.
Not sure what was there originally for zones, but the ALL ALL accept rule is still at the bottom (assuming default and I dont muck with those). On top of that I have all the zones as all all accept (tunnel, lan1,2,dmz,). Just below that, in between the zones and the default rule I have one just for WAN that is all all DENY.

In other words, no access to management of router from WAN side.
(I guess, one could access from an L2TP tunnel the way I have this setup).

In other words my 443 exposure has nothing to do at this point with my admin SYS rules setup. So its in default rules and checking yes its in the Wan to Zywall default rulese (Default_allow_Wan_to_Zywall). Checking this under Object Service Group......... AH, ESP, GRE, HTTPS, IKE, NATT and VRRP are all on the default list.

Since I personally have had bad karma touching default rules, if I wanted to block the https (443) service from being open, I would simply ensure a wan to zywall rule just before the default rule (blocking https.)
Note that using the word reject still shows the port as visible but not open. By using the word DENY, grc no longer even sees the port.

So its fairly easy to ensure 443 is not visible at all. The question I have is do I need natt and vrrp at all. Dont know what they are for and dont think ive ever used them (ah, esp, ike being ipsec related, forget what gre is for). Next post will work on ping
Anav

Anav

Premium Member

Okay making router pingable. Note this is not required for successful FTP but perhaps it is helpful.

I will assume this is also a wan to zywall firewall rule entitiy.
In older routers there were shenanigans in the security side of the house beside firewall rule (two places required to manipulate ping).

I found (on my list #64) a service called PING, its IP protoco is ICMP and its ICMP Type is echo. Added this as a Wan to zywall rule and quickly failed grc test, 3rd sentence just above the ports table stated.......

Ping is just to the router, not to the PC with the FTP server.

Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

So making it pingable seems fairly easy, not quite sure what you were trying to do....... . In your case turn it on plus the logging and also for your firewall rule for FTP, just to see if your friend actually reaches the router to any degree.
Anav

Anav to TheJoker

Premium Member

to TheJoker
I still think your problem is in the virtual server port forwarding setup.

My advice is to keep the port forwarding open and use your firewall to discriminate.

In other words VS rule should be of the form.
Incoming interface: WAN
Original IP: Any
Mapped IP:
(Two choices here to point to the PC FTP Server - create an object for it IP 192.168.x.x = myftpserver) and select that name or just put User Defined and in the popup box enter the LAN IP address of the FTP server.)
I use object names primarily because I can use it here and in FW rule and easier to adjust later.

Port Mapping Type: Service
Original Service: FTP (router provided one)
Mapped Service: FTP (router provided one)

(note it will show the ports automatically 20-21 TCP ).

Then go to firewall rules
WAN to LAN

Make your rule.
User -- ANY
Source -- WANIP of friend (or range of WANIPs)
(this is where to reduce access)
Destination is easy -- your object name of PC FTP server
Service is easy -- select FTP (router provided one)
Access -- Allow
Log -- Log

A. Now for troubleshooting, start with Source as ANY, then confirm its your friend connecting and narrow it down just to that IP.

B. I should caution, I never have an open FTP server, Its always password protected for each user. A secure FTP is even better.
As soon as I get confirmation of the accurate IP address I lock it down just to that IP in the FW rule afterwards, change source.
But for troubleshooting I am happy to use password protection to get started.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano to Gork

MVM

to Gork
said by Gork:

And I am quite sure that client side FTP ALG is much more common than server-side, if server-side FTP ALG even exists.

I've tested accessing FTP both ways with FTP server being behind USG or on WAN side, both active and passive connectivity.
The FTP_ALG works on both, so short answer would be it's both client and server FTP_ALG.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker

MVM

Still can't figure out what is wrong. My external user can't even ping, it just times out for him, and I get no log entry.

I have 3 port forwarding rules, one for the higher FTP signalling port, one for the PASV range, and one for FTP service. All were set as:
Incoming Interface: wan1
Original IP: Object-External-User_IP
Mapped IP: Object-My_workstation_IP
Port Mapping Type: Port
Protocol Type: any

For the signaling port:
Original Port: 2345 (nominally)
Mapped Port: 2345

For the PASV range:
Original Start Port: 3456 (nominally)
Original End Port: 3465
Mapped Start Port:3456
Mapped End Port:3465

And for the Standard FTP port:
Port Mapping Type: Service
Original Service: FTP
Mapped Service: FTP

I have an added firewall rule at top:
Enable
From: WAN
To: LAN1
Description: Custom_Forward
Schedule: none
User: any
Source: Object-External-User_IP
Destination: Object-My_workstation_IP
Service: any
Access: allow
Log: log

All had NAT loopback enabled. He cannot connect, and there is no log entry

I've changed the rule to allow to any destination, and had a warning that I had to turn NAT loopback off for that, and did so. Waiting to see if he can successfully connect.

I have two other firewall rules, one to allow GRC to ping, and one to allow him to ping. The rule for GRC works, the rule for him to ping doesn't, and again no log entry.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to TheJoker

Premium Member

to TheJoker
Start over and set it up the way I (and Brano suggested), you have too many rules and need to simplify. What your doing makes no sense to me.

What FTP program are you using. I had no problems with SERVU for example.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

2 edits

Gork

Member

@Brano; Thanks for the clarification. I'm almost curious enough to set up an FTP server for testing...

@The Joker; What is this "signaling port" you're referring to? You're using port 21, right? There should be no need to forward a "signaling port." If you set this up manually:

Forward port 21
Open port 21 in firewall for WAN to FTP server
Forward ports 3456 to 3460 (I'd open more than one)
Open ports 3456 to 3460 in the firewall for WAN to FTP server

Make sure you've set up the FTP server to use ports 3456-3460 for PASV connections. Make sure the FTP server is set up to use normal port 21. If it has the option, set port 20 as the data port for ACTV connections.

Done.

If your tester is behind a NAT router and/or firewall make sure they're attempting connections via PASV. (If they know about FTP ALG their router/firewall may allow them to connect to your FTP server via ACTV, but it would have to activated properly. And any software firewall they have running may need special settings as well.)

Be aware of any software firewall programs you or your tester may be running during testing. Also, for testing purposes, if your tester isn't computer savvy, you may want to have them turn off any software firewall and connect their computer directly to the Internet.

Beyond that, I know that @Brano ain't no dummy, if he says all you need to do is activate the FTP ALG in the router for either server or client connections to work properly I would tend to believe him.
Gork

Gork

Member

Click for full size
ftp-nat
Click for full size
ftp-fw
Click for full size
ftp-pasv-nat
Here are my port forwarding and firewall rules in my USG. For the first NAT screen shot, the Xavier object is the only one I believe isn't a default in the router, and that object only references the static IP address of the computer which runs my FTP server. Note that I used the default FTP object, which includes ports 20 & 21, but only port 21 needs to be forwarded.

For the fw rule there are two objects called Xavier. One is the same as for the NAT rule which refers to the static IP address of my "FTP server computer" and the other is an object group which refers to FTP port 21 and the FTP-PASV ports I use, 3000-3010.

My last screen shot shows the NAT rules for my PASV FTP ports.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano to TheJoker

MVM

to TheJoker
In addition to all of above, keep in mind that firewall rules are evaluated from top to bottom and first match is applied and no additional rules are evaluated. The order of rules is important.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to TheJoker

Premium Member

to TheJoker
Again, I would never do it the way gork has it set up. YOu dont need pasv anything. One rule.

Also gork what the heck is wan-ip? in your NAT rules?

3 pics provided.........
Anav

Anav

Premium Member

Click for full size
Make sure your ping rule is number 1 (first on the wan to zywall list).

You should see your friends IP in the logs. It should match the WANIP you put in source in the firewall rule.

Ensure you have the SYSTEM ftp admin access disabled.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker

MVM

On Anav's advice to not restrict the port forwarding by originator IP, and let the firewall rule take care of it, I think I may have it once he tries again. While I was out mowing (nice here yesterday and today) there was a successful ping and a successful forwarding to the FTP server (not connected due to my configuration error in the server). It was good to see the connection refusal in the FTP server, it was the first time it made it that far. I think it's easy from here.

Is there any way to expand the size of the log? It's 11 pages, and that only encompasses a 2 hour time frame before entries drop off. I see that I can e-mail logs, but I'd prefer to increase the size of the log if possible.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Send the logs to USB stick.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker

MVM

That was easy, and the best documented thing in the User Manual of anything I've done so far.

And I've now had a successful connection of my user.

Thanks everyone.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

Gork to Anav

Member

to Anav
said by Anav:

Again, I would never do it the way gork has it set up. YOu dont need pasv anything. One rule.

Also gork what the heck is wan-ip? in your NAT rules?

wan-ip is an interface IP object for the WAN-1 IP address. In other words, the IP address assigned to me by my ISP. I thought this was a default object in the device - apparently not.

As far as "you don't need pasv anything" goes, without any server side FTP ALG NAT and firewall rules would be necessary for PASV FTP to work or the client wouldn't be able to connect to the open port on your server's computer - the connection would be blocked at the USG.