FTP server behind Net Firewall

Home Forums Discussions Support FTP server behind Net Firewall

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #4921
    Didier
    Participant

      Hi all,

      I am evaluating Net Firewall. I have installed it on a windows 2000 server SP4.
      I have configured it to work with TCS, Web, pop3, smtp, DNS and FTP.
      I have installed too Net Firewall onto my workstation which run onto windows 2000 Pro and I have configured it for the same protocols.
      All works fine except FTP.
      I am using Bullet Pro FTP server 2.1.5 and LeechFTP.
      On my server the rules are:
      FTP Server 5 ENABLED TCP 83.112.0.0 – 83.112.255.255 Any Any 21 Any WAN
      FTP Server 2 6 ENABLED TCP 83.112.0.0 – 83.112.255.255 Any Any 20 Any WAN
      On my workstation the rules are:
      FTP Server 5 ENABLED TCP Any Any Any 21 Any WAN
      FTP Server 2 6 ENABLED TCP Any Any Any 20 Any WAN

      Authentification is OK but the dir list return nothing.
      In the logs of the 2 machines I can see traffic allowed for port 21, on the server I can see traffic port 20 allowed but nothing about port 20 on my workstation (blocked or allowed).

      Have any idea about that?

      Thanks for your help

      #5730
      Vadim Smirnov
      Keymaster

        I’m not sure but I think the problem is that LeechFTP uses passive FTP mode (bot connections are established by client).

        In this case:

        1) client sends command PASV to server.
        2) server start listening newly allocated port and responses with command PORT with its number.
        3) client connects to this port => data channel is established.

        I would recommend you to try some other FTP clients to check this issue, an example integrated into Windows http://ftp.exe. If I remember fine then explorer and IE also uses passive mode by default, but http://ftp.exe does not.

        #5731
        Didier
        Participant

          Well I have tried http://ftp.exe with same result.
          Connection and authentification OK, “dir” does not work.
          The same FTP server product is installed onto our Production Server which is behind an hardware firewall and connection from my workstation with LeechFTP works fine.
          My Development FTP server has the same configuration than the production server.

          All my rules are on the “WAN Network Interface”.

          Is there something wrong?

          Thanks

          #5732
          Didier
          Participant

            I would like explain the configuration.

            We have a windows 2000 server which is used like routeur between the building WAN and our LAN.
            There are 2 network cards into the server.
            Our LAN is used by 3 macintosh workstation and 2 printers.

            So in NeT Firewall Management Console under “Network Interfaces” there are the 2 network cards + “Wan Network Interface”.
            LAN card parameter : Low level
            WAN card parameter : Third level
            Wan Network Interface : High security

            All rules are for any interface
            When WAN card parameter is set to High security there is no access to (for example) the Web. That is like rules cannot be applied.

            Thanks for your help,

            Didier

            #5733
            Vadim Smirnov
            Keymaster

              When you set High Security level then only packets are passed only there is a corresponding allow rule exists. So there is no wonder that your packets were blocked.

              If you server works as an Internet Gateway using 3rd Stealth Level for the external card would be enough, by default all outgoing connnections are allowed but all incoming packets are blocked unless they belong to one of the locally established connections. However, this mode is strict enough, so some complex protocols which use multiply streams may have problems with it. If you use any of them you’d better use Stealth Level 2 or even Stealth Level 1.

              High Security level is the best mode for the stand alone server which provides some certain services, like HTTP, FTP, e-mail and etc..

            Viewing 5 posts - 1 through 5 (of 5 total)
            • You must be logged in to reply to this topic.