On 1.1.8 this copnfiguration works:
set firewall all-ping 'enable' set firewall broadcast-ping 'disable' set firewall config-trap 'disable' set firewall group network-group FTP-HOSTS network '172.16.1.10/32' set firewall group network-group SSH-HOSTS network '172.16.1.10/32' set firewall group network-group WEB-HOSTS network '172.16.1.10/32' set firewall group port-group FTP-PORTS port '21' set firewall group port-group SSH-PORTS port '22' set firewall group port-group SSH-PORTS port '2222' set firewall group port-group WEB-PORTS port '80' set firewall group port-group WEB-PORTS port '443' set firewall ipv6-receive-redirects 'disable' set firewall ipv6-src-route 'disable' set firewall ip-src-route 'disable' set firewall log-martians 'enable' set firewall name IN-ETH0 default-action 'drop' set firewall name IN-ETH0 rule 10 action 'accept' set firewall name IN-ETH0 rule 10 description 'ICMP' set firewall name IN-ETH0 rule 10 protocol 'icmp' set firewall name IN-ETH0 rule 30 action 'accept' set firewall name IN-ETH0 rule 30 description 'WWW to WEB-HOSTS' set firewall name IN-ETH0 rule 30 destination group network-group 'WEB-HOSTS' set firewall name IN-ETH0 rule 30 destination group port-group 'WEB-PORTS' set firewall name IN-ETH0 rule 50 action 'accept' set firewall name IN-ETH0 rule 50 description 'SSH to SSH-HOSTS' set firewall name IN-ETH0 rule 50 destination group network-group 'SSH-HOSTS' set firewall name IN-ETH0 rule 50 destination group port-group 'SSH-PORTS' set firewall name IN-ETH0 rule 70 action 'accept' set firewall name IN-ETH0 rule 70 description 'FTP to FTP-HOSTS' set firewall name IN-ETH0 rule 70 destination group network-group 'FTP-HOSTS' set firewall name IN-ETH0 rule 70 destination group port-group 'FTP-PORTS' set firewall name IN-ETH0 rule 9999 action 'drop' set firewall name IN-ETH0 rule 9999 description 'Drop all and log' set firewall name IN-ETH0 rule 9999 log 'enable' set firewall receive-redirects 'disable' set firewall send-redirects 'enable' set firewall source-validation 'disable' set firewall syn-cookies 'enable' set firewall twa-hazards-protection 'disable' set interfaces ethernet eth0 address 'xxx.xxx.xxx.xxx/xx' set interfaces ethernet eth0 duplex 'auto' set interfaces ethernet eth0 firewall in name 'IN-ETH0' set interfaces ethernet eth0 hw-id '00:0c:29:32:f0:3b' set interfaces ethernet eth0 smp_affinity 'auto' set interfaces ethernet eth0 speed 'auto' set interfaces ethernet eth1 address '172.16.1.1/24' set interfaces ethernet eth1 duplex 'auto' set interfaces ethernet eth1 hw-id '00:0c:29:32:f0:45' set interfaces ethernet eth1 smp_affinity 'auto' set interfaces ethernet eth1 speed 'auto' set interfaces loopback 'lo' set nat destination rule 19 description 'nat-server' set nat destination rule 19 destination address 'xxx.xxx.xxx.xxx' set nat destination rule 19 destination port '!2222' set nat destination rule 19 inbound-interface 'eth0' set nat destination rule 19 protocol 'tcp_udp' set nat destination rule 19 translation address '172.16.1.10' set nat source rule 50 description 'nat-test' set nat source rule 50 outbound-interface 'eth0' set nat source rule 50 source address '172.16.1.0/24' set nat source rule 50 translation address 'xxx.xxx.xxx.xxx' set protocols static route 0.0.0.0/0 next-hop 'xxx.xxx.xxx.xxy'
After upgrade to 1.2.0-rc10 Ftp to the server does not work. The server is configured with passive mode and 30000 - 30100 as min and max port.
Adding
set firewall group port-group FTP-PORTS port '30000-30100'
makes it work.
Without firewall rules and using only NAT the ftp connection works.