Allowing FTP inbound through firewall

RE: Allowing FTP inbound through firewall

Lee Precision — Fri, 07 Jun 2019 15:18:50 GMT

RE: Allowing FTP inbound through firewall

FloSupport — Thu, 06 Jun 2019 22:33:25 GMT

The Destination Host/Network, would be the IP address that the incoming FTP connection is being made to (in this case, your public WAN IP address). Your protected server(s) would be the internal/private IP of your timeclocks.

Note that if you list multiple IPs in the protected server(s) field, this will allow the configuration of load balancing. See: Sophos XG Firewall: How to configure DNAT with load balancing

RE: Allowing FTP inbound through firewall

Lee Precision — Thu, 06 Jun 2019 19:32:24 GMT

Ok, I've set up the new rule and disabled the old one. I'll watch the log for activity. Great article. The one thing in the article that wasn't 100% clear to me was "Destination/Host Network." Initially I selected an IP Range reflecting that of the timeclocks, but then after re-reading the article, I set it to Port #2, my gateway IP address.

Do you know which would actually be correct in my case?

RE: Allowing FTP inbound through firewall

FloSupport — Thu, 06 Jun 2019 19:05:27 GMT

Hi Lee Precision

You'll need to create a business application rule (DNAT) rule for this. Rather than a "normal" network firewall rule.

Take a look at this article: Sophos XG Firewall: How to configure a Business Application Rule for RDP

Except change the RDP port to FTP of course. Hope that helps! Let me know if you run into any issues.

Regards,

RE: Allowing FTP inbound through firewall

Michael Dunn — Thu, 06 Jun 2019 18:58:07 GMT

FTP Helper / FTP Proxy is for making outbound FTP connections, and one of its main purposes it to do AV scanning.

You are doing inbound. The firewall has an incoming FTP connection that specifies the firewall itself as the destination. It doesn't know what to do with it or where to forward it. This is much like having web servers hosted in your network and using Web server protection / WAF.

In the firewall you need to create a "Business Application Rule" not a "User/network Rule". But after that, I don't know. A DNAT rule?

RE: Allowing FTP inbound through firewall

Lee Precision — Thu, 06 Jun 2019 18:48:36 GMT

Hey LuCar,

That article was helpful, and allowed me to clean up my firewall rule a bit, but I'm still not sure.

First, I have never seen a ftp server reaching out, unsolicited, to make a connection. Have you? (when considering the article, such a connection doesn't even exist.)

Secondly, a "technical" representative from this company said all I had to do was open port 21 to their IP address for an ftp connection...but that doesn't make any sense to me. Of course the firewall doesn't know what to do with the traffic, it is just random inbound traffic.

Would some kind of port forwarding/trigger make sense? Like, incoming traffic on port 21 -> Timeclock IP's?

I've asked the representative for more information on their ftp servers configuration. I don't think that there is much more that I can do in the meantime.

Lastly, what is the FTP helper/proxy that you have mentioned? Is it a cli only feature or can it be found on the gui side too?

Regards,

Dan

RE: Allowing FTP inbound through firewall

LuCar Toni — Thu, 06 Jun 2019 18:13:41 GMT

FTP is kinda tricky.

Most likely you are using FTP passive, right?

https://slacksite.com/other/ftp.html

So you are basically allowing the control traffic with Port 21 and Port 22.

But you are missing the high port. XG has a FTP helper, but it is bundled with the FTP Proxy. (Michael Dunn Correct me, if i am wrong).

So you would need to figure out, which ports are also needed in your FTP solution.

This is possible via TCPdump.

RE: Allowing FTP inbound through firewall

Lee Precision — Thu, 06 Jun 2019 17:42:46 GMT

Additionally, I put a computer on the same rules as the time clocks and I am able make an outbound ftp connection to the required IP address.