Make sure you RECONFIGURE your FTP SERVER (?!) to limit the ports it’s going to use for it’s Data connections. ![]() So here is my workaround I am not proud of it, but at least I got a working situation: Where it comes doen to is : ALG should take care of the pin-hole, and it doesn’t. Juniper describes how to configure FTP with ALG for passive FTP in this document : “ “įor me the document makes no sense whatsoever where source NAT is configured from untrust to trust zone?! And then they seem to make an unexplained mix between IPv4 and 6. For some reason the ALG will not open – up the pinhole in the direction from client to server, following the command mentioned above. Not just for me, but not for loads of people on the net. Officially, if I understand the confusing documentation properly, the ALG should intercept this EPSV (Passive) command, open-up a pinhole to the Server allowing the client to connect to eg TCP.10,097 as described above, and Bob’s you uncle.īut. Passive FTP where the FTP Server chooses a Random port and the client should connect to this.Ī “ftp -d” session clearly shows how to Server is now in control of the Port that the client should connect to in order to perform data transfers:Ģ29 Entering Extended Passive Mode (|||10097|) This kind of works out of the box, once you get the port-forwarding setup for port 20 and allow ftp to be forwarded in a security policy. ![]() From then on the SRX should allow traffic from the Client port to the server port without needing any additional configuration. The only thing is that you have to forward traffic to TCP control port 21 on the FTP server, and the “Application Layer Gateway” ( ALG) will sniff your control packet and sense the “ Port” command. Hosting this behind a Juniper firewall is faily basic and works. Active FTP where data port 20 is used on the Server and the client offers a random port > 1023 to the Server via a “ Port” command. As you probably know, FTP comes in two flavours:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |