No port forwarding. Just 1:1 and Rules. ProFTPd is told to use port 9000. That works perfectly internally.
Rules set up to allow port 9000 out through the firewall. Connection happens - but no directory structure is delivered. This is working for other services on the internal server including Apache. > On Jul 6, 2015, at 10:35 PM, Jim Pingle <li...@pingle.org> wrote: > > On 7/6/2015 7:59 PM, Ryan Coleman wrote: >> Using 1:1 has turned most of my knowledge in pfSense completely useless. I >> feel like a beginner again. >> >> FTP worked on port 21. But for security reasons I do not want it there so I >> moved it to port 9000. >> >> ProFTPd is set up for Masquerading on its 1:1 IP, passive ports are dictated >> in the conf (49500-52500) and configured as such in the Firewall Rules. >> Firewall Rules also have port 8999-9001 open for the FTP server. >> >> FTP works internal to the network so the issue isn’t in the configuration of >> ftp server but in the configuration of the firewall. > > Seems the actual question/problem statement is missing. What exactly > isn't working? > > Did you actually change the binding port in ProFTPd or did you redirect > 21 to 9000 with a port forward? > > If you mix 1:1 NAT and port forwards you will find a couple things you > may not expect due to the way pf works and how NAT happens before > firewall rules: > > 1. Port forwards override 1:1 NAT, which is good for doing what you want > > -but- > > 2. If you forward a different port (e.g. 9000 to 21) your rule still > passes to the local IP on port 21 so BOTH ports are actually accessible. > In other words, you can't relocate a port and block access to the > original port. > > Changing the binding in ProFTPd to 9000 should work around that. > > If that's what you did, then your rule would pass to the local IP on > port 9000. > > If that doesn't help, give us a bit more detail about the exact NAT and > firewall rules you have and what isn't working as expected. Include > firewall logs, states for the test connections, and perhaps a packet > capture. > > Jim > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
