DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Draytek 3910 Firewall blocking external FTP

More
20 Jan 2021 20:21 #98246 by the pit
I'm probably missing something I want to block ftp from external sources from accessing or trying to access an internal server.
On server itself I told it only accept to ip address on the internal network.
Anyway I decided to also see if I can block access via drayteks firewall so followed these instructions https://www.draytek.com/support/knowledge-base/5204 except setting for wan rather than lan
Setup and then tested external and the ftp client said connected on port 21 awaiting response and then failed.
The firewall log didn't log anything even though it's supposed too and I could see the connection coming in on the syslog.
Checking the logs on the server on show connections on the local lan only and none rejected. So that suggests it is being blocked but the message saying connected on port 21 says it isn't.

Please Log in or Create an account to join the conversation.

More
21 Jan 2021 01:07 #98250 by hornbyp
Just checking - you have an FTP Server on your LAN and don't want any access to it from the outside world. Is that correct :?:

If so, you don't need to do anything. (In the absence of Port Redirection, Open Ports or a DMZ host the only data allowed in, is in response to stuff that went out.)

(The connection you made is probably to the FTP Server in the Vigor 3910. I'm not familiar with the 3910, but other Vigors tend to respond even when disabled. Assuming it's not enabled, change its port to something other than 21 and see if that stops the connection message.)

Please Log in or Create an account to join the conversation.

More
13 Feb 2021 10:22 #98446 by the pit
Yeh I have an FTP server on the lan and I was logging in via the hostname so the draytek shouldn't respond to that.
I guess I could telnet and see what response I get.

Please Log in or Create an account to join the conversation.

More
14 Feb 2021 01:40 #98455 by hornbyp

The PIT wrote:
I was logging in via the hostname so the draytek shouldn't respond to that.


By the time the IP packets make it to the Vigor, it has no idea what hostname you used to send them...it would just respond to the contents (if it was feeling that way inclined - which given that it has an internal (optional) FTP server, it might be!)

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami