FTP Server behind UT (Passive Mode)

Printable View

Show 40 post(s) from this thread on one page

06-09-2010, 03:26 PM
digital-cipher

FTP Server behind UT (Passive Mode)
Hi all

I hope this post helps someone as ive read a few posts here on problems with running FTP servers behind Untangle.

To outline the problem i had, in passive mode ftp clients failed to get directory listings but connected ok

After reading a few posts (and google) i found because i had a default action of block on the firewall, dynamic FTP TCP connections inbound and outbound were being blocked.

To resolve this problem:
- Set my filezilla server passive port range to 50000 51000
- Created a outbound firewall rule to allow TCP 50000-51000 from my ftp server to external
- Created a inbound rule to allow inbound TCP 50000-51000 to my ftp server
- Created a port forward from external IP to ftp server TCP 50000-51000
FTP clients can now get FTP directory listings no problem
06-09-2010, 03:52 PM
boyan.sharic

Quote:

Originally Posted by digital-cipher

To outline the problem i had, in passive mode ftp clients failed to get directory listings but connected ok

I have the same problem
gonna try this and post the result
06-11-2010, 01:42 PM
eolson1001

I HAD a problem when I was trying to utilize IIS FTP. It went away when I tried Filezilla!
06-11-2010, 02:59 PM
jcoffin

I'm using Filezilla and GuildFTP behind UT.

Port forward rules
1. a. destination address <external IP>
b. destination port 21
c. destined Local
d. protocol TCP & UDP checked
e. New destination <internal IP of ftp server>

1. a. destination address <external IP>
b. destination port <passive port range>
c. destined Local
d. protocol TCP & UDP checked
e. New destination <internal IP of ftp server>
06-11-2010, 03:01 PM
jcoffin

Passive FTP on IIS gets complicated

How To Configure PassivePortRange In IIS
http://support.microsoft.com/?id=555022
06-11-2010, 04:00 PM
sky-knight

http://forums.untangle.com/tip-day/4...-firewall.html

Use that post for more information about FTP than you could ever want.

UDP is never used in FTP transactions, forwarding it is technically a security problem. That said, if you don't have your server listening on those ports, it won't do a hacker any good. You're just wasting router resources forwarding packets that are unneeded.

To operate a fully functioning FTP server behind any NAT device requires:

1.) a NAT aware FTP service
2.) two port forward rules

NAT aware FTP services allow you to manually configure them with a public address, as well as configure a PASV FTP range. Once the service is configured you're free to forward TCP port 21 (or whatever you assign the control port to be), and the TCP range specified as your PASV range on the server. Once that is done, the FTP server will be live.

Not hard, just detailed.
06-11-2010, 06:17 PM
dbunyard

Ugh....IIS? Really? IIS is a special beast in and of itself. You are much better of with a real FTP server. But as sky-knight mentioned, it shouldn't be all that hard to set up the rules to make FTP work.
06-11-2010, 06:22 PM
sky-knight

IIS is... special.

You see the IIS GUI doesn't allow you to configure the public address, nor the PASV port range. So while it is NAT aware, the GUI doesn't allow you to configure it. I suggest you pick a different FTP service unless you plan on manually hacking up the IIS metabase.
06-14-2010, 02:56 PM
boyan.sharic

Quote:

Originally Posted by jcoffin

I'm using Filezilla and GuildFTP behind UT.

Port forward rules
1. a. destination address <external IP>
b. destination port 21
c. destined Local
d. protocol TCP & UDP checked
e. New destination <internal IP of ftp server>

1. a. destination address <external IP>
b. destination port <passive port range>
c. destined Local
d. protocol TCP & UDP checked
e. New destination <internal IP of ftp server>

works great, thank you

I guess my problem was not checking (and forwarding) passive port range in filezilla server but went for the defaults
06-21-2010, 01:03 PM
jpgillivan

Passive FTP blocked from external sources

I am having the same problem with passive FTP being blocked from external sources. Internally (direct access) I can access the FTP server fine so I know it is not an FTP server issue. We are running MS IIS as the FTP server and have to have it set as passive on port 21. It use to work but I think the Untangle update a couple months ago broke it and it was not needed/reported until now.

I have tried turning off all the rack components - no good.
I have tried various port forwarding combinations - no good.
I have even restricted IIS to use a specific passive port range and forwarded that to the server - no good.
Tried disabling FTP processing - no good.
Tried disabling the windows firewall - no good.
Tried jcoffin's suggested setting - no good.

There is nothing else between our untangle box and the T1 router. Something has to be going on inside of Untangle that is not allowing the traffic.

Anyone else have any better ideas?

Show 40 post(s) from this thread on one page