On 7/6/2015 7:59 PM, Ryan Coleman wrote: > Using 1:1 has turned most of my knowledge in pfSense completely useless. I > feel like a beginner again. > > FTP worked on port 21. But for security reasons I do not want it there so I > moved it to port 9000. > > ProFTPd is set up for Masquerading on its 1:1 IP, passive ports are dictated > in the conf (49500-52500) and configured as such in the Firewall Rules. > Firewall Rules also have port 8999-9001 open for the FTP server. > > FTP works internal to the network so the issue isn’t in the configuration of > ftp server but in the configuration of the firewall.
Seems the actual question/problem statement is missing. What exactly isn't working? Did you actually change the binding port in ProFTPd or did you redirect 21 to 9000 with a port forward? If you mix 1:1 NAT and port forwards you will find a couple things you may not expect due to the way pf works and how NAT happens before firewall rules: 1. Port forwards override 1:1 NAT, which is good for doing what you want -but- 2. If you forward a different port (e.g. 9000 to 21) your rule still passes to the local IP on port 21 so BOTH ports are actually accessible. In other words, you can't relocate a port and block access to the original port. Changing the binding in ProFTPd to 9000 should work around that. If that's what you did, then your rule would pass to the local IP on port 9000. If that doesn't help, give us a bit more detail about the exact NAT and firewall rules you have and what isn't working as expected. Include firewall logs, states for the test connections, and perhaps a packet capture. Jim _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
