D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: rcamkerr on December 21, 2009, 11:31:14 AM

Title: DFL-210 FTP Server help
Post by: rcamkerr on December 21, 2009, 11:31:14 AM

We have an internet connection through another companies fibre connection. Our external ip addresses are assigned to us through the other companies router. Our DFL-210 is set up with external ip addresses of 172.18.1.101-105. These addresses have all been published in the ARP entries. We have two
webservers setup and working.  I would like to setup an ftp server as well. I used the instructions in the manual for setting up the rules. There must be some other rule(s) I must need to add for our unique setup. Any help or suggestions would be appreciated.

Actual external IP address for the ftp server is xx.xx.xx.174 in the logs below.
ftp server wan_ip_4: 172.18.1.104
dmz ip address: dmz_4

ftp_sat
Action: SAT
service: ftp-inbound

source interface: any
destination interface: core
source network: all-nets
destination network: wan_ip_4
SAT: destination IP
     new address: dmz_4
     new port: 21

ftp_nat
Action: NAT
Service: ftp-inbound

source interface: dmz
destination interface: dmz_4
source network: core
destination network: wan_ip_4
NAT: Specify sender IP
     new IP address: dmz_4

ftp_allow
Action: Allow
Service: ftp-inbound

source interface: any
destination interface: core
source network: all-nets
destination network: wan_ip_4

Now what I see in the logs is:

2009-12-21             RULE                                                    xx.xx.xx.174    15801    ruleset_drop_packet
11:14:01    Warning  6000051    Default_Rule TCP    wan           172.18.1.104   21        drop
ipdatalen=28 tcphdrlen=28 syn=1

Title: Re: DFL-210 FTP Server help
Post by: rcamkerr on December 21, 2009, 12:08:14 PM

I seem to be getting a bit closer.

I changed the destination interface from core to any. I now am able to log in, but do not get a directory listing. The ftp client issues the port command, the server receives the port and returns successful. In the server log it registers that the connection was closed from the client side. In the DFL-210 logs I see alg_session_open then alg_session_closed immediately after. Then the rest of the ftp ports get closed.

I have tried a couple of different ftp clients. They both fail trying to retrieve the directory listing.

Title: Re: DFL-210 FTP Server help
Post by: chechito on December 21, 2009, 05:45:51 PM

First of all

use service: ftp-passthrough to exclude de ALG from the situation

y suggest you the following rules:
# Name              Action   Source int  Source net   Dest int   Dest net   Service
1 ftp_sat_inb       SAT      wan          all-nets        core       wanip        ftp-passthrough
2 ftp_allow_inb     Allow    wan          all-nets        core       wanip        ftp-passthrough
3 ftp_nat_out       NAT     dmz          ftpsrvip        wan       all-nets      ftp-passthrough

on the sat rule
     new address: ftpsrvip
     new port: (not needed leave blank)

Title: Re: DFL-210 FTP Server help
Post by: rcamkerr on December 22, 2009, 02:51:51 PM

chechito, thanks for your suggestions. However, I still end up with the same problem. It appears the DFL-210 closes the connection. The server has accepted the connection but logs that the client side closed the connection.
I will continue to hack at it.