FTP Server behind UT (Passive Mode)

**digital-cipher** · 06-09-2010, 03:26 PM

Hi all

I hope this post helps someone as ive read a few posts here on problems with running FTP servers behind Untangle.

To outline the problem i had, in passive mode ftp clients failed to get directory listings but connected ok

After reading a few posts (and google) i found because i had a default action of block on the firewall, dynamic FTP TCP connections inbound and outbound were being blocked.

To resolve this problem:

Set my filezilla server passive port range to 50000 51000
Created a outbound firewall rule to allow TCP 50000-51000 from my ftp server to external
Created a inbound rule to allow inbound TCP 50000-51000 to my ftp server
Created a port forward from external IP to ftp server TCP 50000-51000

FTP clients can now get FTP directory listings no problem

**boyan.sharic** · 06-09-2010, 03:52 PM

Originally Posted by digital-cipher

To outline the problem i had, in passive mode ftp clients failed to get directory listings but connected ok

I have the same problem
gonna try this and post the result

**eolson1001** · 06-11-2010, 01:42 PM

I HAD a problem when I was trying to utilize IIS FTP. It went away when I tried Filezilla!

**jcoffin** · 06-11-2010, 02:59 PM

I'm using Filezilla and GuildFTP behind UT.

Port forward rules
1. a. destination address <external IP>
b. destination port 21
c. destined Local
d. protocol TCP & UDP checked
e. New destination <internal IP of ftp server>

1. a. destination address <external IP>
b. destination port <passive port range>
c. destined Local
d. protocol TCP & UDP checked
e. New destination <internal IP of ftp server>

**jcoffin** · 06-11-2010, 03:01 PM

Passive FTP on IIS gets complicated

How To Configure PassivePortRange In IIS
http://support.microsoft.com/?id=555022

**sky-knight** · 06-11-2010, 04:00 PM

http://forums.untangle.com/tip-day/4...-firewall.html

Use that post for more information about FTP than you could ever want.

UDP is never used in FTP transactions, forwarding it is technically a security problem. That said, if you don't have your server listening on those ports, it won't do a hacker any good. You're just wasting router resources forwarding packets that are unneeded.

To operate a fully functioning FTP server behind any NAT device requires:

1.) a NAT aware FTP service
2.) two port forward rules

NAT aware FTP services allow you to manually configure them with a public address, as well as configure a PASV FTP range. Once the service is configured you're free to forward TCP port 21 (or whatever you assign the control port to be), and the TCP range specified as your PASV range on the server. Once that is done, the FTP server will be live.

Not hard, just detailed.

**dbunyard** · 06-11-2010, 06:17 PM

Ugh....IIS? Really? IIS is a special beast in and of itself. You are much better of with a real FTP server. But as sky-knight mentioned, it shouldn't be all that hard to set up the rules to make FTP work.

**sky-knight** · 06-11-2010, 06:22 PM

IIS is... special.

You see the IIS GUI doesn't allow you to configure the public address, nor the PASV port range. So while it is NAT aware, the GUI doesn't allow you to configure it. I suggest you pick a different FTP service unless you plan on manually hacking up the IIS metabase.

**boyan.sharic** · 06-14-2010, 02:56 PM

Originally Posted by jcoffin

I'm using Filezilla and GuildFTP behind UT.

Port forward rules
1. a. destination address <external IP>
b. destination port 21
c. destined Local
d. protocol TCP & UDP checked
e. New destination <internal IP of ftp server>

1. a. destination address <external IP>
b. destination port <passive port range>
c. destined Local
d. protocol TCP & UDP checked
e. New destination <internal IP of ftp server>

works great, thank you

I guess my problem was not checking (and forwarding) passive port range in filezilla server but went for the defaults

**jpgillivan** · 06-21-2010, 01:03 PM

I am having the same problem with passive FTP being blocked from external sources. Internally (direct access) I can access the FTP server fine so I know it is not an FTP server issue. We are running MS IIS as the FTP server and have to have it set as passive on port 21. It use to work but I think the Untangle update a couple months ago broke it and it was not needed/reported until now.

I have tried turning off all the rack components - no good.
I have tried various port forwarding combinations - no good.
I have even restricted IIS to use a specific passive port range and forwarded that to the server - no good.
Tried disabling FTP processing - no good.
Tried disabling the windows firewall - no good.
Tried jcoffin's suggested setting - no good.

There is nothing else between our untangle box and the T1 router. Something has to be going on inside of Untangle that is not allowing the traffic.

Anyone else have any better ideas?

Thread: FTP Server behind UT (Passive Mode)

LinkBack

Thread Tools

FTP Server behind UT (Passive Mode)

Passive FTP blocked from external sources

Tags for this Thread

Posting Permissions