This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FTP Blocking

Hi All,


Probably it´s something really evident, but honestly, i´m not able to find it.

My objective is to block all the FTP, with the exception of some specific sources (hosts) and only to specific ftp servers.

I´m having issues when the access is being made by browser

I have always access by using e.g ftp://ftp.astaro.com or http://ftp.astaro.com

I´m using the webproxy protection in Standart mode (my browser is configured with the UTM detaisl) and the FTP proxy in operation mode "Both".

I´ve tried to add my host to the Skip "Transparent Mode Hosts/Nets" with the objective of trying to use the firewall to control it, but it didn´t work. All the ftp requests are forward by the webproxy.

Would anyone be so kind to shed some light on this :)



This thread was automatically locked due to age.
Parents
  • There's a lot of ways to do this, some taking more configuration than others. The simplest, using firewall rules only, would be to go to Web Protection > Filtering Options > Misc and remove FTP from the Allowed services list, then disable the FTP Proxy. The negative here is that your FTP accesses will not be AV scanned by the proxy. If this is ok, then go for it.

    http://ftp.astaro.com is an http index page for the ftp site, access for which would still be controlled via the Web Filtering Proxy, which you can add to your Filter Action block list if you choose.

    If you want to discuss other options let us know.

    Other notes:

    " and the FTP proxy in operation mode "Both"."  Unless you are setting the proxy in your browser and/or FTP client, there is no point to using non-transparent or both.

    "I´ve tried to add my host to the Skip "Transparent Mode Hosts/Nets""  In the Web Proxy, FTP Proxy, or both?  They each have a transparent skiplist, which is only useful in transparent mode, so would be ignored by the Web Proxy.

    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • Thank you for the answer Scott

    Regarding your questions:

    i add my computer to the "transparent skiplist" in the webproxy and on the ftp proxy.

    I was trying to use the "Allowed Servers" on the "Advanced" tab of the FTP proxy to try to limit the access only to specific ftp servers.

    By removing the FTP port from the "Allowed Target Service" ftp over http stops working. I was hopping that when i enable the FTP proxy, i could control the FTP use, by just allowing the servers on the proxy options. On the other hand, i wanted to configure the hosts (internal hosts) that could have access, by using the "Allowed Networks" on the Global Options of the proxy.

    All the computers have in their browsers settings, the proxy (UTM) configured, so all the FTP traffic (when accessed by a browser) is made through the UTM.

    Should´t this configuration be effective?
Reply
  • Thank you for the answer Scott

    Regarding your questions:

    i add my computer to the "transparent skiplist" in the webproxy and on the ftp proxy.

    I was trying to use the "Allowed Servers" on the "Advanced" tab of the FTP proxy to try to limit the access only to specific ftp servers.

    By removing the FTP port from the "Allowed Target Service" ftp over http stops working. I was hopping that when i enable the FTP proxy, i could control the FTP use, by just allowing the servers on the proxy options. On the other hand, i wanted to configure the hosts (internal hosts) that could have access, by using the "Allowed Networks" on the Global Options of the proxy.

    All the computers have in their browsers settings, the proxy (UTM) configured, so all the FTP traffic (when accessed by a browser) is made through the UTM.

    Should´t this configuration be effective?
Children
  • Ok. I think i´ve got it.

    a) Removed from the "Allowed Target Service" the port 21
    b) Created webfilter rules to block a regex that identifies ftp and applied to specific users (that should be blocked from accessing to FTP).
    c) Configured the FTP proxy using the necessary source hosts and destination ftp servers (Transparent mode).

    I´m still making some testing, but it seems to be working fine.

    Thank you Scott.