FTP access to server behind WatchGuard Firebox

Is it possible to open the ftp port (21) to just one server behind the firebox?  We have vendors that will be dropping off files in an ftp server that we will be hosting.  I'd like to open port 21 on the firebox but in a way that doesn't open the port to all other servers behind the firebox.  
mansurw02Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
When you open service on any port on the firewall only that specific port/protocol is allowed to the internal machine; so in your case if you use FTP proxy and allow the inbound traffic for FTP that would come in to that server only and no other internal machine. Also, all other traffic would be denied.

Please note if the attacker or remote user is intelligent enough to send FTP traffic and in that hide another traffic then other traffic would also reach the internal server; doing so is however bit tough and would need a lot of expertise. Normally you would never hit this scenario.

So go ahead and open the FTP service to just the needed server and thigs should be good.

Thank you.
0
mansurw02Author Commented:
I set up an ftp server behind the watchguard and tried opening up the port just to one of the internal server, the ftp server.  (ie.  From: Any, To: a specific internal host address)  I was not able to connect to it until I finally configured the ftp port as Any/Any.  I'm assuming this isn't the best practice.
0
dpk_walCommented:
Yes, you should not have from/to as any/any on any service; you should rather have:
From ANY or specific IP/subnet (if applicable)
To public-ip-or-external-ip->internal-ip [static NAT]; or public-IP [public IP of 1-1 NAT]

This should work; can you check and update.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

mansurw02Author Commented:
I set To public-IP (from whatismyip.com) and it worked great.  As I am relatively new in this position, how do I check if the public IP is static or if it is dynamic?  I know the internal IP is static but I am not sure about the public IP as it differs from the Firebox external IP.  I don't want to have to keep updating the firewall policy whenever I reboot the ftp server.
0
dpk_walCommented:
In Policy Manager go to Network->Configuration; if you have the IP on external configured as static further also have secondary network or aliases configured then you have static IP; you can always call up your ISP and check with them if they have provided static IP or what is the service they are providing.

Thank you.
0
mansurw02Author Commented:
Thank you!  Everything works great.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.