Efficient 5861 - Does it disable FTP Server access by default?

Efficient 5861 - Does it disable FTP Server access by default?

Post by My De » Tue, 04 Mar 2003 12:02:38



Does the Efficient 5861 disable access to an FTP server in the local
network?

I have a server operating behind a router. The server has an external
IP address with the route hostmaps to the local address.

The problem is the server can serve web pages and email as well, but
somehow FTP does not connect at all. I can however connect to the
server via its external IP address. The connections show up in the FTP
server's log and it shows the connections as coming from my routers IP
address.

This makes me wonder whether my ISP is blocking access to the FTP
server from machines outside its network or the router is programmed
to accept FTP connections only from within its subnet.

Any ideas on how to fix this FTP Probem?

 
 
 

Efficient 5861 - Does it disable FTP Server access by default?

Post by JJ » Tue, 04 Mar 2003 13:05:58


Check your firewall settings against whether you are doing active or passive
FTP. You may need to open more ports.

Jim


Quote:> Does the Efficient 5861 disable access to an FTP server in the local
> network?

> I have a server operating behind a router. The server has an external
> IP address with the route hostmaps to the local address.

> The problem is the server can serve web pages and email as well, but
> somehow FTP does not connect at all. I can however connect to the
> server via its external IP address. The connections show up in the FTP
> server's log and it shows the connections as coming from my routers IP
> address.

> This makes me wonder whether my ISP is blocking access to the FTP
> server from machines outside its network or the router is programmed
> to accept FTP connections only from within its subnet.

> Any ideas on how to fix this FTP Probem?


 
 
 

Efficient 5861 - Does it disable FTP Server access by default?

Post by My De » Wed, 05 Mar 2003 05:03:35


I am not sure what this means. I am not very familiar with the
firewall rules in the Efficient 5861. I have just started dabbling
with the filter concepts and the commands in the Efficient manual.

Can you post a sample script, with some explanations, please?


> Check your firewall settings against whether you are doing active or passive
> FTP. You may need to open more ports.

> Jim



> > Does the Efficient 5861 disable access to an FTP server in the local
> > network?

> > I have a server operating behind a router. The server has an external
> > IP address with the route hostmaps to the local address.

> > The problem is the server can serve web pages and email as well, but
> > somehow FTP does not connect at all. I can however connect to the
> > server via its external IP address. The connections show up in the FTP
> > server's log and it shows the connections as coming from my routers IP
> > address.

> > This makes me wonder whether my ISP is blocking access to the FTP
> > server from machines outside its network or the router is programmed
> > to accept FTP connections only from within its subnet.

> > Any ideas on how to fix this FTP Probem?

 
 
 

Efficient 5861 - Does it disable FTP Server access by default?

Post by JJ » Wed, 05 Mar 2003 22:54:32


Sure:

# Medium security firewall script - 6/7/01
# For DSL router
# Allow protocols: HTTP, HTTPS, SMTP, POP3, SNTP, Telnet,
#                  DNS, FTP (passive), L2TP, ICMP, DHCP, IMAP,
#                  IPSec, IKE

# Flush all existing filters
remote ipfilter flush input internet
remote ipfilter flush output internet
remote ipfilter flush transmit internet
remote ipfilter flush receive internet
eth ip filter flush input 0
eth ip filter flush output 0
eth ip filter flush transmit 0
eth ip filter flush receive 0

# No incoming connections
remote ipfilter append input drop -p tcp -tcp syn internet

# HTTP
remote ipfilter append input accept -p tcp -sp 80 internet
remote ipfilter append output accept -p tcp -dp 80 internet

# HTTPS (SSL)
remote ipfilter append input accept -p tcp -sp 443 internet
remote ipfilter append output accept -p tcp -dp 443 internet

# SMTP
remote ipfilter append input accept -p tcp -sp 25 internet
remote ipfilter append output accept -p tcp -dp 25 internet

# POP3
remote ipfilter append input accept -p tcp -sp 110 internet
remote ipfilter append output accept -p tcp -dp 110 internet

# SNTP
# - allow requests and responses to the router only
#
remote ipfilter append receive accept -p udp -dp 8123 -sp 123 internet
remote ipfilter append transmit accept -p udp -dp 123 -sp 8123 internet
remote ipfilter append input accept -p udp -sp 123 internet
remote ipfilter append output accept -p udp -dp 123 internet
eth ip filter append output drop -p udp -sp 123 0
eth ip filter append output drop -p udp -dp 123 0

# Telnet
remote ipfilter append input accept -p tcp -sp 23 internet
remote ipfilter append output accept -p tcp -dp 23 internet

# DNS
remote ipfilter append input accept -p udp -sp 53 internet
remote ipfilter append output accept -p udp -dp 53 internet

# FTP
remote ipfilter append input accept -p tcp -sp 20:21 internet
remote ipfilter append output accept -p tcp -dp 20:21 internet

# L2TP
# - allow requests and responses to the router only
#
remote ipfilter append input accept -p udp -sp 1701 internet
remote ipfilter append output accept -p udp -dp 1701 internet
eth ip filter append output drop -p udp -sp 1701 0
eth ip filter append output drop -p udp -dp 1701 0

# Allow ICMP Echo Reply, Dest Unreachable, Echo Requests,
# and Time Exceeded from the WAN
remote ipfilter append input accept -p icmp -sp 0 internet
remote ipfilter append input accept -p icmp -sp 3 internet
remote ipfilter append input accept -p icmp -sp 8 internet
remote ipfilter append input accept -p icmp -sp 11 internet

# Allow ICMP Echo Reply, Echo Request to the WAN
remote ipfilter append output accept -p icmp -sp 0 internet
remote ipfilter append output accept -p icmp -sp 8 internet

# DHCP
remote ipfilter append input accept -p udp -sp 67 internet
remote ipfilter append output accept -p udp -dp 67 internet

# IMAP
remote ipfilter append input accept -p tcp -sp 143 internet
remote ipfilter append output accept -p tcp -dp 143 internet

# Allow IPSec, IKE packets
remote ipfilter append input accept -p udp -sp 500 -dp 500 internet
remote ipfilter append input accept -p 50 internet
remote ipfilter append input accept -p 51 internet
remote ipfilter append output accept -p udp -sp 500 -dp 500 internet
remote ipfilter append output accept -p 50 internet
remote ipfilter append output accept -p 51 internet

# Drop all other traffic not listed above
remote ipfilter append input drop internet
remote ipfilter append output drop internet

# Watch the results
remote ipfilter watch on internet

save


> I am not sure what this means. I am not very familiar with the
> firewall rules in the Efficient 5861. I have just started dabbling
> with the filter concepts and the commands in the Efficient manual.

> Can you post a sample script, with some explanations, please?




> > Check your firewall settings against whether you are doing active or
passive
> > FTP. You may need to open more ports.

> > Jim



> > > Does the Efficient 5861 disable access to an FTP server in the local
> > > network?

> > > I have a server operating behind a router. The server has an external
> > > IP address with the route hostmaps to the local address.

> > > The problem is the server can serve web pages and email as well, but
> > > somehow FTP does not connect at all. I can however connect to the
> > > server via its external IP address. The connections show up in the FTP
> > > server's log and it shows the connections as coming from my routers IP
> > > address.

> > > This makes me wonder whether my ISP is blocking access to the FTP
> > > server from machines outside its network or the router is programmed
> > > to accept FTP connections only from within its subnet.

> > > Any ideas on how to fix this FTP Probem?

 
 
 

Efficient 5861 - Does it disable FTP Server access by default?

Post by My De » Thu, 06 Mar 2003 06:52:35


This script seems to be the one with the router. When I applied it nothing changed.

I will try it again and see.


> Sure:

> # Medium security firewall script - 6/7/01
> # For DSL router
> # Allow protocols: HTTP, HTTPS, SMTP, POP3, SNTP, Telnet,
> #                  DNS, FTP (passive), L2TP, ICMP, DHCP, IMAP,
> #                  IPSec, IKE

> # Flush all existing filters
> remote ipfilter flush input internet
> remote ipfilter flush output internet
> remote ipfilter flush transmit internet
> remote ipfilter flush receive internet
> eth ip filter flush input 0
> eth ip filter flush output 0

<snip>

- Show quoted text -



> > I am not sure what this means. I am not very familiar with the
> > firewall rules in the Efficient 5861. I have just started dabbling
> > with the filter concepts and the commands in the Efficient manual.

> > Can you post a sample script, with some explanations, please?



> > > Check your firewall settings against whether you are doing active or
>  passive
> > > FTP. You may need to open more ports.

> > > Jim

<snip>
 
 
 

Efficient 5861 - Does it disable FTP Server access by default?

Post by JJ » Thu, 06 Mar 2003 08:18:56


Use it as a baseline for understanding what you are doing. Also, run the
commands in telnet:

rem ipfilter watch on internet
sys log start

This will show you dropped packets due to firewall rules. Then RTFM.

JJ


> This script seems to be the one with the router. When I applied it nothing
changed.

> I will try it again and see.




> > Sure:

> > # Medium security firewall script - 6/7/01
> > # For DSL router
> > # Allow protocols: HTTP, HTTPS, SMTP, POP3, SNTP, Telnet,
> > #                  DNS, FTP (passive), L2TP, ICMP, DHCP, IMAP,
> > #                  IPSec, IKE

> > # Flush all existing filters
> > remote ipfilter flush input internet
> > remote ipfilter flush output internet
> > remote ipfilter flush transmit internet
> > remote ipfilter flush receive internet
> > eth ip filter flush input 0
> > eth ip filter flush output 0
> <snip>



> > > I am not sure what this means. I am not very familiar with the
> > > firewall rules in the Efficient 5861. I have just started dabbling
> > > with the filter concepts and the commands in the Efficient manual.

> > > Can you post a sample script, with some explanations, please?



> > > > Check your firewall settings against whether you are doing active or
> >  passive
> > > > FTP. You may need to open more ports.

> > > > Jim
> <snip>

 
 
 

1. How do you disable NAT on Efficient Networks 5861?

I got an Efficient Network 5861 as part of the DSL setup from Pac Bell.
However, the unit site in front of a SonicWall GW/Firewall unit.  I need to
put certain accesses in the Firewall.  So essentially I need the Efficient
to just act as a dumb DSL modem.  Anyone know the best way to disable NAT.

Thanks,

Jerry

2. Testing compilers

3. Efficient 5861 DSL Router FAQ / HOWTO / BY EXAMPLE

4. DELTA 4 - Sceptical

5. Efficient Networks 5861

6. hover buttons

7. Syslog and event logging on Efficient 5861

8. OT : but funny

9. Efficient 5861 DSL Router FAQ / HOWTO / BY EXAMPLE

10. Efficient 5861 NAT does not work

11. Any Efficient 5861 DSL Router gurus in the house?

12. efficient 5861 without NAT not ok

13. HELP - Efficient Networks 5861 Router