Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Untanglit
    Join Date
    May 2009
    Posts
    16

    Default FTP Server behind UT (Passive Mode)

    Hi all

    I hope this post helps someone as ive read a few posts here on problems with running FTP servers behind Untangle.

    To outline the problem i had, in passive mode ftp clients failed to get directory listings but connected ok

    After reading a few posts (and google) i found because i had a default action of block on the firewall, dynamic FTP TCP connections inbound and outbound were being blocked.

    To resolve this problem:
    • Set my filezilla server passive port range to 50000 51000
    • Created a outbound firewall rule to allow TCP 50000-51000 from my ftp server to external
    • Created a inbound rule to allow inbound TCP 50000-51000 to my ftp server
    • Created a port forward from external IP to ftp server TCP 50000-51000


    FTP clients can now get FTP directory listings no problem

  2. #2
    Master Untangler boyan.sharic's Avatar
    Join Date
    May 2009
    Location
    Banja Luka, Bosnia and Herzegovina
    Posts
    109

    Default

    Quote Originally Posted by digital-cipher View Post
    To outline the problem i had, in passive mode ftp clients failed to get directory listings but connected ok
    I have the same problem
    gonna try this and post the result

  3. #3
    Untangler
    Join Date
    Apr 2009
    Posts
    88

    Default

    I HAD a problem when I was trying to utilize IIS FTP. It went away when I tried Filezilla!

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,809

    Default

    I'm using Filezilla and GuildFTP behind UT.

    Port forward rules
    1. a. destination address <external IP>
    b. destination port 21
    c. destined Local
    d. protocol TCP & UDP checked
    e. New destination <internal IP of ftp server>

    1. a. destination address <external IP>
    b. destination port <passive port range>
    c. destined Local
    d. protocol TCP & UDP checked
    e. New destination <internal IP of ftp server>

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,809

    Default

    Passive FTP on IIS gets complicated

    How To Configure PassivePortRange In IIS
    http://support.microsoft.com/?id=555022

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,396

    Default

    http://forums.untangle.com/tip-day/4...-firewall.html

    Use that post for more information about FTP than you could ever want.

    UDP is never used in FTP transactions, forwarding it is technically a security problem. That said, if you don't have your server listening on those ports, it won't do a hacker any good. You're just wasting router resources forwarding packets that are unneeded.

    To operate a fully functioning FTP server behind any NAT device requires:

    1.) a NAT aware FTP service
    2.) two port forward rules

    NAT aware FTP services allow you to manually configure them with a public address, as well as configure a PASV FTP range. Once the service is configured you're free to forward TCP port 21 (or whatever you assign the control port to be), and the TCP range specified as your PASV range on the server. Once that is done, the FTP server will be live.

    Not hard, just detailed.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Ninja dbunyard's Avatar
    Join Date
    Nov 2008
    Location
    Westerville, Ohio, USA
    Posts
    1,059

    Default

    Ugh....IIS? Really? IIS is a special beast in and of itself. You are much better of with a real FTP server. But as sky-knight mentioned, it shouldn't be all that hard to set up the rules to make FTP work.
    Dan

    You may one day find something interesting here. Today is not that day. Tomorrow isn't looking too good either.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,396

    Default

    IIS is... special.

    You see the IIS GUI doesn't allow you to configure the public address, nor the PASV port range. So while it is NAT aware, the GUI doesn't allow you to configure it. I suggest you pick a different FTP service unless you plan on manually hacking up the IIS metabase.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Master Untangler boyan.sharic's Avatar
    Join Date
    May 2009
    Location
    Banja Luka, Bosnia and Herzegovina
    Posts
    109

    Default

    Quote Originally Posted by jcoffin View Post
    I'm using Filezilla and GuildFTP behind UT.

    Port forward rules
    1. a. destination address <external IP>
    b. destination port 21
    c. destined Local
    d. protocol TCP & UDP checked
    e. New destination <internal IP of ftp server>

    1. a. destination address <external IP>
    b. destination port <passive port range>
    c. destined Local
    d. protocol TCP & UDP checked
    e. New destination <internal IP of ftp server>
    works great, thank you

    I guess my problem was not checking (and forwarding) passive port range in filezilla server but went for the defaults

  10. #10
    Untangler
    Join Date
    Sep 2009
    Posts
    53

    Default Passive FTP blocked from external sources

    I am having the same problem with passive FTP being blocked from external sources. Internally (direct access) I can access the FTP server fine so I know it is not an FTP server issue. We are running MS IIS as the FTP server and have to have it set as passive on port 21. It use to work but I think the Untangle update a couple months ago broke it and it was not needed/reported until now.

    I have tried turning off all the rack components - no good.
    I have tried various port forwarding combinations - no good.
    I have even restricted IIS to use a specific passive port range and forwarded that to the server - no good.
    Tried disabling FTP processing - no good.
    Tried disabling the windows firewall - no good.
    Tried jcoffin's suggested setting - no good.

    There is nothing else between our untangle box and the T1 router. Something has to be going on inside of Untangle that is not allowing the traffic.

    Anyone else have any better ideas?

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2