Re: PORTS necessary for surfing?

From: bargepole (jbhur@hotmail.com)
Date: 01/05/02

• Next message: Joe: "ICMP Time Exceeded"
• Previous message: fred: "Re: How doI block port 80 from the Internet"
• In reply to: Bjorn: "Re: PORTS necessary for surfing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "bargepole" <jbhur@hotmail.com>
Date: Sat, 05 Jan 2002 18:48:38 GMT

You need to port map connections from the outside made to your Internet
address, TCP port 21 to your FTP server's address.

Port Mapping
Listen Port: 21
Listen IP: <unspecified>
Protocol: TCP
Destination IP: LAN address of FTP server
Dest. Port: 21
Allow access only from: (optionally checked)

This assumes your FTP server, running on the Winroute gateway, listens for
connections to TCP port 21 on any interface (Internet or LAN). Note that
there's no need to port map TCP port 20.

Rules are a little trickier, depending on what filter schemes are used.
Typically, rules are attached to the Internet interface. All traffic to be
allowed in is specified and the final rule drops or denies all other
traffic.
Put this rule above your "drop all" rule:

Incoming
Internet Interface
Permit TCP Any host port>1023 -> Any host port in (20,21)

This will allow FTP-Data (port 20) and FTP-Control (port 21) packets to be
exchanged between your FTP server and an Internet host. Get rid of the other
FTP rules.

I suggest you check out Tiny's on line manual. It describes how to configure
Winroute to accommodate an FTP server on the LAN.

"Bjorn" <bjornxon@hotmail.com> wrote in message
news:saCZ7.9154$l93.2231049@newsb.telia.net...
> I have an FTP-server on the same computer as WinRoute but cant connect to
it
> from the outside as long as the WinRoute firewall is on. Have I missed
> something again? :)
>
> I have these rules:
> Permit TCP Any host port= 20-21 -> Any host port= 20-21
> Permit TCP Any host port=20 -> Any host port>1023
> Permit TCP Any host port=21 -> Any host port>1023
>
> ..but it still doesnt work. If i shut the WinRoute-engine down people can
> connect to the FTP-server program without problems.
>
> Any tips?
>
> /Bjorn
>
>
> "bargepole" <jbhur@hotmail.com> wrote in message
> news:LicY7.150127$KT.38907415@news4.rdc1.on.home.com...
> > Winroute Pro, as early as version 3, allocated ports 61000 to 65535 for
> > Winroute clients' outbound connections. A default Winroute gateway
always
> > connects to an Internet host using a port between 61000 and 65535. TCP
> port
> > 80 is the typical destination port of a client's web browser
> communications.
> >
> > You're blocking the replies from the servers to which you're trying to
> > connect.
> >
> > Here's a rule set suggestion to achieve what you want.
> >
> > Packet Filter
> > Incoming
> > Internet Interface
> > Permit UDP Any host port=53 -> Any host port>1023
> > Permit TCP Any host port=80 -> Any host port>1023
> > Permit TCP Any host port=443 -> Any host port>1023
> > Drop IP Any host -> Any host
> >
> > This rule set will allow DNS lookups, connections to standard HTTP and
> HTTPS
> > servers, and block any traffic from anywhere else. FTP, MSN, and mail
> > connection attempts, for example, will fail until you provide rules
(above
> > the last) to allow such communication.
> >
> > "Bjorn" <bjornxon@hotmail.com> wrote in message
> > news:1j5Y7.7262$l93.1866690@newsb.telia.net...
> > > Hi
> > > I'm using WinRoute Pro 3.0 on an old PC acting as a firewall and
router.
> > As
> > > I understand it, port 80 is the one used for surfing so what I did was
> to
> > > close almost all incoming ports except for number 80. When I try to
surf
> > it
> > > doesn't work and I can see on the logg-file that it's trying to get
> > traffic
> > > on some ports around 61000 so i open some of the up. It works for a
> while
> > > but then it stops and I see there's traffic on port 61100 or higher
> trying
> > > to get in. It seems to be counting upwards. When i open more ports it
> > works
> > > for a moment but soon it reaches the final open port and i have to
open
> > > more. What on earth is this?
> > >
> > > /bjorn
> >
> >
> >
>
>

---

• Next message: Joe: "ICMP Time Exceeded"
• Previous message: fred: "Re: How doI block port 80 from the Internet"
• In reply to: Bjorn: "Re: PORTS necessary for surfing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Changing the way IIS answers to PASV commands? ... it's not an IIS FTP issue. ... translating address and port from external request to ... I can add my internet IP address as a secondary IP harmlessly ... (microsoft.public.inetserver.iis.ftp) Re: FTP WONT START ... 5- FTP says "This site cannot be started because another site is running on ... this computer is already using the IP address and TCP port values that you ... 6- Even if I am not ISOLATING USERS just setting up a basic FTP i get the ... (microsoft.public.inetserver.iis.ftp) RE: Telnet/ftp problems SBS2000 ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ... (microsoft.public.windows.server.sbs) Re: FTP WONT START ... 5- FTP says "This site cannot be started because another site is running on ... this computer is already using the IP address and TCP port values that you ... 6- Even if I am not ISOLATING USERS just setting up a basic FTP i get the ... (microsoft.public.inetserver.iis.ftp) FTP transfer port ... FTP transfer port ... the FTP server "listens" for client connections on its port 21. ... it will establish a separate control connection and data connection with ... (bit.listserv.ibm-main)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)