< Knowledge Base

Block FTP Service by Firewall

Published On: May 16, 2017 

This article describes how to restrict FTP service from LAN clients by using the Firewall function to block the traffic on TCP port 21. In this example, we want to create a firewall rule for all the LAN clients. The configuration necessary is shown below.

Note: We only need to create firewall rules for the outgoing traffic (from LAN to WAN), since the router is already blocking all the incoming traffic by default

1. Go to Object Setting >> Services Type Object to create a profile as follows: 

  • Type the profile name as "FTP"
  • Set Protocol to "TCP"
  • Set the Destination Port to "= 21 - 21"

2. Go to Firewall >> Filter Setup >> Filter Set 2, click on an empty rule and edit as follows:

  • Check "Enable"
  • (Optional) Input some comments (optional)
  • (Optional) Click Edit at Source IP and enter the IP that should follow this policy. If not specified, this rule will apply to all the LAN host.
  • Click Edit at Service Type and select the profile created in step 1
  • Select "Block Immediately" for Filter. You may also check Syslog if you want the router to generate logs about this rule
  • Click OK to save the profile.  

3. The firewall rule will be active as long as it is enabled. From Diagnostics >> Syslog Explorer, we may see the router has blocked the attempts of connecting to TCP port 21

1. Go to Object Setting >> Services Type Object to create a profile as follows:

  • Type the profile name as "FTP"
  • Set Protocol to "TCP"
  • Leave Source Port as from 1 to 65535 (it means all the ports)
  • Set Destination Port from 21 to 21.

2. Go to Firewall >> Filter Setup >> IP Filter, create an IP Filter Group and add a rule as follows:

  • Check Enable
  • Select "Block" for Action
  • (Optional) Select "Enable" for Syslog if you want the router to generate logs about this rule.
  • Select "Any" for Input Interface.
  • Select :Any" for Output Interface
  • Select profile created in step 1, "FTP", for the Services Type Object
  • (Optional) Select the IP address at Source IP Object if you want to apply this rule to some hosts only. If not specified, it will apply to all the LAN hosts.
  • Apply the settings

As long as the filter rule is enabled, it will be active. We may go to System Maintenance >> Syslog / Mail Alert >> Syslog File to see if the router has filtered any FTP traffic.

Was this helpful?     


Related Articles