FTP sessions from foreign IPs

  • 220.132.255.239
    CHTD, Chunghwa Telecom Co.,Ltd.
    Taipei, Taiwan, 100


    119.177.160.27
    China Unicom Shandong Province Network
    No.21,Jin-Rong Street
    Beijing,100033
    P.R.China


    You exposed the service to the touch of the world, various strange things will touch it. Limit the IP range using firewall or hide ftp behind nat. Unless you have to expose the service to the world, take into account that different bs will try to connect. If your car is standing on the street, anyone who wants to pass by can simply touch it and check if the doors are closed or can be opened.

  • The question is, do you need to have ftp publicly available to the whole world. If not, block all IPs and allow only those that belong to you and need access to ftp. Same for other services you have running in omv!
    If something does not have to be available from outside your lan block access to it. If you need to have access to your omv somewhere outside your lan maybe think of a zerotier or vpn.


    I have already published firewall rules in this forum. If you're interested, you can search. But nobody was interested in it ...
    And of course, always make sure that the software is up-to-date and that there is no anonymous access to services.


    Your car is publicly available. Anyone can touch it. No law prohibits this. For this, put it in a private guarded garage!!!

  • I have already published firewall rules in this forum. If you're interested, you can search.

    I didn´t find your post straightaway. There are several threads related to this topic.


    But nobody was interested in it ...

    I would not assume, that nobody is interested in. Firewall rules are generally a very complex issue and only view users are familiar with it.



    Look at your spoiler from the other thread:
    ;(;(;(;(;(;(;(;(;(;(;(;(;(
    -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
    -A INPUT -f -j DROP
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8080 -j DROP
    -A INPUT -p udp -m udp --dport 8080 -j DROP
    -A INPUT -p tcp -m tcp --dport 3389 -j DROP
    -A INPUT -s 192.168.1.1/32 -i enx001e0630caa8 -j ACCEPT
    -A INPUT -d 127.0.0.0/8 -j DROP
    -A INPUT -s 127.0.0.0/8 -i lo -j DROP
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -j DROP
    -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -d 127.0.0.0/8 -j DROP
    -A OUTPUT -d 9.9.9.9/32 -p udp -j ACCEPT
    -A OUTPUT -d 9.9.9.9/32 -p tcp -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -m tcp -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -m tcp -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -m tcp -j ACCEPT
    -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
    -A OUTPUT -p icmp -m icmp --icmp-type any -j DROP
    -A OUTPUT -j DROP
    ;(;(;(;(;(;(;(;(;(;(;(;(;(;(

    OMV 3.0.100 (Gray style)

    ASRock Rack C2550D4I C0-stepping - 16GB ECC - 6x WD RED 3TB (ZFS 2x3 Striped RaidZ1) - Fractal Design Node 304 -

    3x WD80EMAZ Snapraid / MergerFS-pool via eSATA - 4-Bay ICYCube MB561U3S-4S with fan-mod

  • Firewall rules are generally a very complex issue and only view users are familiar with it.

    Yes and no. A few simple rules for the average user at home I would rather not call complicated. And no matter what fw or operating system. We are not building here a set of rules for a large complex network where the level of threats is high.
    I am always sad when so few people use a firewall. It is not about any complicated rule sets but rather a simple in / out control policy and awareness of what the user's computer or network is doing. If soho routers did not have NAT then the situation would be absurd with the number of publicly available services without people being aware of what their computer is doing.
    Of course, I advise against doing copy / paste without knowing at least to a minimum what the rules do. Because you can block or open something that you did not plan.
    Unfortunately, also a very large number of guides on the web is now quite outdated and often introduces more errors to the user's thought process.


    in my opinion, a firewall should be treated like a door with locks and this is how the user should think about it. But even in the linux world there is such a narrative that a firewall is not especially needed for a novice user. And thus you don't develop habits of using and learning it.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!