Re: Microsoft FTP through Firewall

From: JoeZ (jz@zabram.com.removethis)
Date: 06/06/02


From: jz@zabram.com.removethis (JoeZ)
Date: Thu, 06 Jun 2002 21:27:54 GMT

When the server comes back with

227 Entering Passive Mode (xxx,xxx,xxx,xxx,xxx,xxx)

is (xxx.xxx.xxx.xxx) it's private ip address? If so, that's the ip
address that the client will use to try to contact the server. Of
course, it won't work. What you need is either a firewall that can
"look deeper" into the PASV packet coming from the server and swap the
internal for external address (i believe PIX can (fixup ftp)), or an
FTP server that will allow you to specify the ip address you want to
use for PASV. As far as i know, Microsoft FTP can't do this, but i'm
still looking. I think Serv-U, among others, will allow you to.

Thanks, -JZ

On 7 May 2002 02:18:42 -0700, sam_collett@lycos.co.uk (Sam Collett)
wrote:

>Turning off passive ftp results in the following:
>
>257 "/www" is current directory.
> TYPE A
>200 Type set to A.
> PORT 212,196,170,80,4,117
>502 Command not implemented.
>
>Anyone have any idea where I can find Borderware documentation - ie
>for step by step instructions on setting up ftp with it?
>
>"Frank S" <fsexton@qwest.net> wrote in message news:<MJxA8.44394$N8.3365422@bin5.nnrp.aus1.giganews.com>...
>> Your client is trying to use the Passive mode. The Passive mode operates on
>> high ports (above 1024). Apparently they are closed. The default W2K (and
>> NT) ftp client operates in the standard mode (20 and 21).
>>
>> -Frank
>>
>> "Sam Collett" <sam_collett@lycos.co.uk> wrote in message
>> news:2030665d.0205030105.1295c392@posting.google.com...
>> > We are using Borderware as the firewall for a network. However I have
>> > not managed to get ftp to work through it correctly (the ftp server is
>> > on Windows 2000, using the built in one).
>> > I have opened up ports 20 and 21 and pointed them to the ftp server,
>> > and setup the proxy (using the Advanced Tab in the port settings) to
>> > be FTP. However it is not working as intended:
>> > The login process is successful, but falls over when I try to list the
>> > directory contents (ftpuser has full access rights):
>> >
>> > Connecting to (ftpserver).
>> > Connected to (ftpserver) -> IP: xxx.xxx.xxx.xxx PORT: 21.
>> > Socket connected waiting for login sequence.
>> > 220 ftpserver Microsoft FTP Service (Version 5.0).
>> > USER ftpuser
>> > 331 Password required for ftpuser.
>> > PASS (hidden)
>> > 230 User ftpuser logged in.
>> > SYST
>> > 215 Windows_NT version 5.0
>> > REST 100
>> > 350 Restarting at 100.
>> > REST 0
>> > 350 Restarting at 0.
>> > PWD
>> > 257 "/" is current directory.
>> > CWD /www
>> > 250 CWD command successful.
>> > PWD
>> > 257 "/www" is current directory.
>> > TYPE A
>> > 200 Type set to A.
>> > PASV
>> > 227 Entering Passive Mode (xxx,xxx,xxx,xxx,xxx,xxx)
>> > Opening data connection IP: xxx.xxx.xxx.xxx PORT: xxxxx.
>> > LIST
>> > 425 Can't open data connection.
>> >
>> > What is causing this problem? Has anyone successfully set up Microsoft
>> > FTP through Borderware Firewall?
>> > It works correctly on the local network, just not externally.
>> >
>> > TIA
>> >



Relevant Pages

  • Re: FTP Server setup... Im so close!
    ... > I have installed the Internet Information Services, etc, and have the FTP ... Your external client is trying to use Passive Mode. ... Since your server is behind NAT, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Microsoft FTP Server problem on W2K?
    ... I have technical responsibility for this FTP implementation, ... Since PASV voids PORT, the client side ... connect to the server from" isn't implied by the text of the RFC. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Telnet/ftp problems SBS2000
    ... | through the server to get internet access everything works. ... | client uses an internet backup company to backup his really vital data, ... I understand that you cannot use ftp service to ... the connection can be established ...
    (microsoft.public.windows.server.sbs)
  • [NEWS] Directory Traversal Vulnerabilities in FTP Clients
    ... vulnerable to certain directory traversal attacks by modified FTP servers. ... file/directory permissions and the privilege level of the client. ... A malicious server could potentially overwrite key files to cause a denial ... your vendor, or the associated CERT vulnerability note, if your product is ...
    (Securiteam)
  • Re: Configure ISA to allow ISA Server to make external FTP Connect
    ... your Server name and select properties, Installation mode is listed at the ... client, as well as being all three at the same time. ... This means that the workstation has the proxy server details ... Enter the name 'FTP Access', press next twice, from the drop down box ...
    (microsoft.public.isa.configuration)