Re: IIS5 Passive FTP Networking problem (long)
From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 12/14/04
- Next message: Laurent Bertin: "Re: strange thing with request.Form and anonymous login"
- Previous message: WinGuy: "IIS5 Passive FTP Networking problem (long)"
- In reply to: WinGuy: "IIS5 Passive FTP Networking problem (long)"
- Next in thread: WinGuy: "Re: IIS5 Passive FTP Networking problem (long)"
- Reply: WinGuy: "Re: IIS5 Passive FTP Networking problem (long)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 14 Dec 2004 15:27:04 +0800
Great stuff ! The problem is with the NAT. while I can't give you a good
explanation compare to the MS 'F' guy that care of IIS FTP, here's what I
can tell you.
> The first problem is that I can not tell by the below listing if that
> 5555-5700 port range is being respected when the server responds with
> "Entering Passive Mode (192,168,1,100,21,188)". I see that the IIS IP
> address of 192.168.1.100 is represented there, and that the command port
> is 21, but I don't see how "188" is supposed to represent a data port
> within the range of 5555-5700.
Yes, it is within the port range, to calculate it. you take the last two
'numbers'
21 * 256 + 188 = 5564
detail -
Information About the IIS File Transmission Protocol (FTP) Service
http://support.microsoft.com/?id=283679
> The 2nd problem is that I can't seem to tell IIS5 FTP Service to say
> "67,115,67,162" instead of "192,168,1,100". If I set it to 67.115.67.162
> using the IIS Manager then FTP doesn't work in active mode anymore, and
> still doesn't work in passive mode either. The router has that public WAN
> address, is why.
This is related to the design of NAT and it is correct when you see Internal
IP address while NAT is doing the port translation.
Your setup is kinda complicated :) I mean in terms of of NAT. and I'm not
sure if I get you correctly, but I have seen the same model of routers that
able to support ftp passive mode without any problem.
so you have:
Net | MBS + LAN | Linksys and IIS FTP
am I correct ?
my question now can LAN users connect ftp succesfully in passive mode ?
let's wait for Alun to comment further.
-- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ "WinGuy" <no_spam@nomail.bot> wrote in message news:sauvd.59435$QJ3.41357@newssvr21.news.prodigy.com... > At the end of this message is an abreviated Ethereal capture that shows > the passive FTP problem that I have. Networking isn't really the issue but > it is a victim if I can not configure IIS5 FTP Service to identify (spoof) > itself during a passive FTP connection setup the way that I need for it to > do. Maybe someone can help after reading all this, lengthy as it surely > is! > > > > I've an interesting networking problem in trying to get IIS5 on W2K, which > is behind a Linksys router, working with passive FTP initiated by a client > that is behind a Microsoft Base Station router (or any client on the > internet, actually). The IIS5 server box is the only computer connected to > the Linksys. Several computers are connected to the MBS router. Both > routers connect to a DSL modem via a hub. Each router has a dedicated > public IP address. So there are 2 LANs. The Linksys uses only static LAN > addresses, the MSB uses dynamic. > > > > The intent was if one LAN got infected then it could not easily infect the > other, as only the clients on the MSB side can initiate a connection to > the server, and then only via internet, and the server can not initiate a > connection to any client on the MSB side. The other advantage was to > decrease load on the software based firewalls that every computer uses, as > a router isn't a very good firewall compared to BlackIce, ZoneAlarm Pro, > and so on - and so a DoS would be mitigated to some degree by the routers, > decreasing CPU load on the boxes. BlackIce is pretty good in tangent with > URLScan for webserver security and with recognizing FTP or SMTP attacks, > and ZoneAlarm is great for controlling ports and keeping a rogue infection > from being able to use the internet to spread havoc. And the software > firewalls allow denying internet connections from IP addresses or > specified domains, which the routers can not do. It's a very secure setup, > actually, and it has withstood all attacks for over 2 years now. > > > > Active FTP works fine, but there's a problem implementing passive FTP. The > registry entry was performed for IIS so that passive FTP would use ports > 5555-5700, per Microsoft KB555022. The IIS Linksys router was configured > to forward the port range of 5555-5700 to the static 192.168.1.252 IP > address that the server uses. So they are not blocked by the Linksys > router. With passive FTP the clients initiate all connections, so the MBS > router also does not block that range. > > > > The first problem is that I can not tell by the below listing if that > 5555-5700 port range is being respected when the server responds with > "Entering Passive Mode (192,168,1,100,21,188)". I see that the IIS IP > address of 192.168.1.100 is represented there, and that the command port > is 21, but I don't see how "188" is supposed to represent a data port > within the range of 5555-5700. > > > > The 2nd problem is that I can't seem to tell IIS5 FTP Service to say > "67,115,67,162" instead of "192,168,1,100". If I set it to 67.115.67.162 > using the IIS Manager then FTP doesn't work in active mode anymore, and > still doesn't work in passive mode either. The router has that public WAN > address, is why. > > > > Because I can't tell (or don't know how to tell) the FTP Service to say > "67,115,67,162", the client gets confused as the below listing shows and > issues an ARP broadcast looking for the machine "192,168,1,100". Of > course, since it's on a different LAN, there is never any response and the > passive data transfer errors on timeout. Same thing happens for any > internet based client. If the IIS FTP Service could be configured to say > "67,115,67,162" even though it really is "192,168,1,100" then the Linksys > router would forward the packets just fine and everything would work. My > Linksys BEFSR41 is a version 2 and so it can not be upgraded to version 3, > but it is at the highest firmware level available from Linksys for version > 2. So, no joy there. > > > > I was thinking to split the 192.168.x.x range into 2 equal parts, one part > used by each router, and to hub the LAN sides of each router together so > they can both respond to an ARP broadcast on the resultant "super LAN" > configuration. I think that would solve the passive FTP problem from the > perspective of both LANs, but that still would not make passive FTP work > for the general internet (who would be still be wanting to do ARP > broadcasts looking for 192.168.1.100). > > > > So, I'm stuck and I don't seem to be able to offer passive FTP over > internet if I wish to maintain the security that the current arrangement > of routers provides. Unless there's some way to make the IIS5 FTP Service > spoof "67.115.67.162" (the Linksys static public IP address) instead of it > saying "192.168.1.100" (the actual static LAN IP address of IIS). Can this > be done? > > > > If not, then I guess the only practical solution remaining is to use yet > another box to run a "transparent IP-less" firewall called "IP Filter" > (which comes with FreeBSD) so that IIS can have a public WAN rather than a > private LAN address, and toss the Linksys router. How ironic. I'd really > rather not have to do that! But I have to keep the firewall load off of > the IIS box, so I'll do it if I have to. Do I really have to do that? > > > > Winguy > > > > ====================== LISTING FOLLOWS > > Source Destination Proto Info > > 192.168.1.252 67.115.67.162 TCP 2540 > ftp [SYN] Seq=0 Ack=0 Win=65535 > Len=0 MSS=1460 > > 67.115.67.162 192.168.1.252 TCP ftp > 2540 [SYN, ACK] Seq=0 Ack=1 > Win=17520 Len=0 MSS=1460 > > 192.168.1.252 67.115.67.162 TCP 2540 > ftp [ACK] Seq=1 Ack=1 Win=65535 > Len=0 > > 67.115.67.162 192.168.1.252 FTP Response: 220 svr1 Microsoft FTP Service > (Version 5.0) > > 192.168.1.252 67.115.67.162 FTP Request: USER anonymous > > 67.115.67.162 192.168.1.252 FTP Response: 331 Anonymous access allowed, > send identity (e-mail name) as password > > 192.168.1.252 67.115.67.162 FTP Request: PASS IEUser@ > > 67.115.67.162 192.168.1.252 FTP Response: 230-Private Site. Unauthorized > access prohibited. > > 192.168.1.252 67.115.67.162 TCP 2540 > ftp [ACK] Seq=31 Ack=172 Win=65364 > Len=0 > > 67.115.67.162 192.168.1.252 FTP Response: 230- > > 192.168.1.252 67.115.67.162 FTP Request: opts utf8 on > > 67.115.67.162 192.168.1.252 FTP Response: 500 'OPTS utf8 on': command not > understood > > 192.168.1.252 67.115.67.162 FTP Request: syst > > 67.115.67.162 192.168.1.252 FTP Response: 215 Windows_NT version 5.0 > > 192.168.1.252 67.115.67.162 FTP Request: site help > > 67.115.67.162 192.168.1.252 FTP Response: 214-The following SITE commands > are recognized(* ==>'s unimplemented) > > 192.168.1.252 67.115.67.162 FTP Request: PWD > > 67.115.67.162 192.168.1.252 FTP Response: 257 "/Anonymous" is current > directory > > 192.168.1.252 67.115.67.162 FTP Request: noop > > 67.115.67.162 192.168.1.252 FTP Response: 200 NOOP command successful > > 192.168.1.252 67.115.67.162 FTP Request: CWD /Anonymous/ > > 67.115.67.162 192.168.1.252 FTP Response: 250 CWD command successful > > 192.168.1.252 67.115.67.162 FTP Request: TYPE A > > 67.115.67.162 192.168.1.252 FTP Response: 200 Type set to A. > > 192.168.1.252 67.115.67.162 FTP Request: PASV > > 67.115.67.162 192.168.1.252 FTP Response: 227 Entering Passive Mode > (192,168,1,100,21,188) > > 192.168.1.252 Broadcast ARP Who has 192.168.1.100? Tell 192.168.1.252 > <=== PROBLEM !!! > >
- Next message: Laurent Bertin: "Re: strange thing with request.Form and anonymous login"
- Previous message: WinGuy: "IIS5 Passive FTP Networking problem (long)"
- In reply to: WinGuy: "IIS5 Passive FTP Networking problem (long)"
- Next in thread: WinGuy: "Re: IIS5 Passive FTP Networking problem (long)"
- Reply: WinGuy: "Re: IIS5 Passive FTP Networking problem (long)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
