Hello dfex,
Thanks a lot for your answer 🙂
Concerning 2. it's indeed a bit of a disapointment, but i still hope for a future Junos release (by the way, i seem to remember that the MX routers with MS-DPC modules allowed to configure port ranges)
Concerning 3. thanks a lot ! 🙂
Adding the UDP 427 solved the printing issue 🙂
Concerning 1. though i am more and more puzzled...
The relevant Junos code is as follows:
[edit]
root@AltaBadia# show security
nat {
[...]
destination {
pool NAS {
address 172.24.24.200/32;
}
[...]
rule-set RED_NAT {
from zone untrust;
[...]
rule NAS_FTP {
match {
destination-address 0.0.0.0/0;
destination-port 21;
}
then {
destination-nat pool NAS;
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
[...]
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ftp {
except;
}
all;
}
}
}
}
}
[...]
from-zone untrust to-zone idmz {
policy untrust-to-idmz {
match {
source-address any;
destination-address AMBER1_RANGE;
application any;
}
then {
permit;
}
}
}
default-policy {
deny-all;
}
}
alg {
ftp ftps-extension;
}
With this setup i can ftp my server/nas (which is configured to use the ports 21 + 55536-55663)
The "show security flow session application ftp" shows as follows:
root@AltaBadia> show security flow session application ftp
Total sessions: 0
root@AltaBadia> show security flow session application ftp
Session ID: 15433, Policy name: untrust-to-idmz/18, Timeout: 1800, Valid
Resource information : FTP ALG, 2, 0
In: 193.247.250.49/47939 --> 77.58.93.121/21;tcp, If: ge-0/0/0.0, Pkts: 17, Bytes: 1211
Out: 172.24.24.200/21 --> 193.247.250.49/47939;tcp, If: vlan.1, Pkts: 12, Bytes: 1731
Total sessions: 1
[...]
root@AltaBadia> show security flow session application ftp
Session ID: 15433, Policy name: untrust-to-idmz/18, Timeout: 1796, Valid
Resource information : FTP ALG, 2, 0
In: 193.247.250.49/47939 --> 77.58.93.121/21;tcp, If: ge-0/0/0.0, Pkts: 35, Bytes: 2169
Out: 172.24.24.200/21 --> 193.247.250.49/47939;tcp, If: vlan.1, Pkts: 25, Bytes: 3131
Total sessions: 1
###
#Login successful
#First layer of folders loads
#
#Selected a folder to load
###
root@AltaBadia> show security flow session application ftp
Session ID: 15433, Policy name: untrust-to-idmz/18, Timeout: 1798, Valid
Resource information : FTP ALG, 2, 0
In: 193.247.250.49/47939 --> 77.58.93.121/21;tcp, If: ge-0/0/0.0, Pkts: 42, Bytes: 2597
Out: 172.24.24.200/21 --> 193.247.250.49/47939;tcp, If: vlan.1, Pkts: 28, Bytes: 3474
Total sessions: 1
[...]
root@AltaBadia> show security flow session application ftp
Session ID: 15433, Policy name: untrust-to-idmz/18, Timeout: 1780, Valid
Resource information : FTP ALG, 2, 0
In: 193.247.250.49/47939 --> 77.58.93.121/21;tcp, If: ge-0/0/0.0, Pkts: 42, Bytes: 2597
Out: 172.24.24.200/21 --> 193.247.250.49/47939;tcp, If: vlan.1, Pkts: 28, Bytes: 3474
Total sessions: 1
root@AltaBadia> show security flow session application ftp
Session ID: 17609, Policy name: untrust-to-idmz/18, Timeout: 1782, Valid
In: 193.247.250.49/22270 --> 77.58.93.121/21;tcp, If: ge-0/0/0.0, Pkts: 6, Bytes: 312
Out: 172.24.24.200/21 --> 193.247.250.49/22270;tcp, If: vlan.1, Pkts: 5, Bytes: 271
Total sessions: 1
[...]
root@AltaBadia> show security flow session application ftp
Session ID: 17609, Policy name: untrust-to-idmz/18, Timeout: 1782, Valid
In: 193.247.250.49/22270 --> 77.58.93.121/21;tcp, If: ge-0/0/0.0, Pkts: 19, Bytes: 876
Out: 172.24.24.200/21 --> 193.247.250.49/22270;tcp, If: vlan.1, Pkts: 15, Bytes: 945
Total sessions: 1
###
#Page remains blank
###
And the FTP log on the client shows as follows:
*** FTP On The Go PRO 2.3
*** Connect To ravens.dnsdojo.net:21
220 RaVeNsDen FTP server ready.
>>> AUTH TLS
234 AUTH SSL command successful.
>>> PBSZ 0
200 PBSZ command successful (PBSZ=0).
>>> PROT P
200 Protection level set to Private.
>>> USER admin
331 Password required for admin.
>>> PASS [hidden]
230 User admin logged in.
>>> SYST
215 UNIX Type: L8
>>> FEAT
211- Extensions supported:
AUTH TLS
PBSZ
PROT
SIZE
MDTM
MFMT
REST STREAM
211 End.
>>> CLNT FTPOnTheGo 2.3
500 CLNT FTPOnTheGo 2.3: command not understood.
>>> PWD
257 "/" is current directory.
>>> PASV
227 Entering Passive Mode (77,58,93,121,217,22)
*** Data Connection OK
>>> LIST
150 Opening BINARY mode SSL data connection for 'file list'.
*** drwxr-xr-x 1 root users 12288 Apr 26 02:01 home
*** drwxr-xr-x 1 root users 4096 Apr 3 15:32 Work
*** drwxr-xr-x 1 root users 4096 Apr 23 17:15 Video
226 Transfer complete.
*** Got 10 Folder Items
>>> CWD /Work
250 CWD command successful.
>>> PWD
257 "/Work" is current directory.
>>> PASV
227 Entering Passive Mode (77,58,93,121,216,247)
!!! Data Connection Won't Open
*** Disconnected
*** FTP On The Go PRO 2.3
*** Connect To ravens.dnsdojo.net:21
220 RaVeNsDen FTP server ready.
>>> USER admin
331 Password required for admin.
>>> PASS [hidden]
230 User admin logged in.
>>> SYST
215 UNIX Type: L8
>>> FEAT
211- Extensions supported:
AUTH TLS
PBSZ
PROT
SIZE
MDTM
MFMT
REST STREAM
211 End.
>>> CLNT FTPOnTheGo 2.3
500 CLNT FTPOnTheGo 2.3: command not understood.
>>> PWD
257 "/" is current directory.
>>> PASV
------ Transfers ------
(null)
What is the strangest to me is that
- if i do things quietly and take my time to choose which folder to open i get nothing anymore
- if i pick a random folder as soon as i am on the FTP server i can get to see the subfolder content (if i am really fast even a sub-subfolder)
So i would suspect a timeout but when i look at the data on the SRX i am always well within the parameters of the timeout.
Any idea of what it could be ?
Cheers
Andy