dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1714
share rss forum feed


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
reply to Gork

Re: Replaced 2WG with USG20W

Click for full size
ftp-nat
Click for full size
ftp-fw
Click for full size
ftp-pasv-nat
Here are my port forwarding and firewall rules in my USG. For the first NAT screen shot, the Xavier object is the only one I believe isn't a default in the router, and that object only references the static IP address of the computer which runs my FTP server. Note that I used the default FTP object, which includes ports 20 & 21, but only port 21 needs to be forwarded.

For the fw rule there are two objects called Xavier. One is the same as for the NAT rule which refers to the static IP address of my "FTP server computer" and the other is an object group which refers to FTP port 21 and the FTP-PASV ports I use, 3000-3010.

My last screen shot shows the NAT rules for my PASV FTP ports.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:14
reply to TheJoker
In addition to all of above, keep in mind that firewall rules are evaluated from top to bottom and first match is applied and no additional rules are evaluated. The order of rules is important.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to TheJoker
Again, I would never do it the way gork has it set up. YOu dont need pasv anything. One rule.

Also gork what the heck is wan-ip? in your NAT rules?

3 pics provided.........


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Click for full size
Make sure your ping rule is number 1 (first on the wan to zywall list).

You should see your friends IP in the logs. It should match the WANIP you put in source in the firewall rule.

Ensure you have the SYSTEM ftp admin access disabled.


TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:6
On Anav's advice to not restrict the port forwarding by originator IP, and let the firewall rule take care of it, I think I may have it once he tries again. While I was out mowing (nice here yesterday and today) there was a successful ping and a successful forwarding to the FTP server (not connected due to my configuration error in the server). It was good to see the connection refusal in the FTP server, it was the first time it made it that far. I think it's easy from here.

Is there any way to expand the size of the log? It's 11 pages, and that only encompasses a 2 hour time frame before entries drop off. I see that I can e-mail logs, but I'd prefer to increase the size of the log if possible.
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:14
Send the logs to USB stick.


TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:6
That was easy, and the best documented thing in the User Manual of anything I've done so far.

And I've now had a successful connection of my user.

Thanks everyone.
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
reply to Anav
said by Anav:

Again, I would never do it the way gork has it set up. YOu dont need pasv anything. One rule.

Also gork what the heck is wan-ip? in your NAT rules?

wan-ip is an interface IP object for the WAN-1 IP address. In other words, the IP address assigned to me by my ISP. I thought this was a default object in the device - apparently not.

As far as "you don't need pasv anything" goes, without any server side FTP ALG NAT and firewall rules would be necessary for PASV FTP to work or the client wouldn't be able to connect to the open port on your server's computer - the connection would be blocked at the USG.