FTP + Firewall

big_gie · Aug 28, 2003

Hi,

I have a small network at home with a Netgear MR814 Router. It is set to foward port 21 to my desktop. On this desktop, I've set up a ftp server (serv-u) and i can access from the desktop and from my laptop (witch is on the lan too).

But I have problems accessing it via my dyndns.org account... even with my public ip address I can't...

I use ZoneAlarm Pro v4 and I've set it up in Trusted and Internet Zones to "Allow incoming TCP ports: 21" but no luck... in the logs I can't see me trying to access port 21... so maybe its the router?

I've tryed to set my desktop as an DMZ, but no luck and i don't want to leave it that way for security reason...

Even set up the port to 22 but not working...

Whats the weird thing is that shields up (https://grc.com/x/ne.dll?bh0bkyd2) is seing my computer at port 21 or 22!!!!

Anyone has an idea??

tanx guys

LTR12101B · Aug 28, 2003

Accessing from what?

If you use Internet explorer in "web view" mode, PASV is forced - that means the client makes 2 outgoing connects, one on port 21, and aone on an arbitrary port.

Try folder view mode, or a real FTP program (apologies if you're already down that route)

big_gie · Aug 28, 2003

LTR12101B said:
Accessing from what?

If you use Internet explorer in "web view" mode, PASV is forced - that means the client makes 2 outgoing connects, one on port 21, and aone on an arbitrary port.

Try folder view mode, or a real FTP program (apologies if you're already down that route)

I'm using Bullet Proof FTP v2.42 (http://www.bpftp.com)

here's what bpftp is telling me:

Code:

Connecting to < public ip address > port 21
Connection refused
Delaying for 10 seconds before reconnect...
Aborting...

I fowarded the port necessary to passive.

But the log is telling me that its not an passive problem...

tanx for the fast response

sergio · Aug 28, 2003

Did you try to connect with IE using and external proxy ?
Normally it should work.
Hope this helps.

scarecrow · Aug 28, 2003

Enable port 21 both ways... although it's safer to use a nonstandard port for FTP (larger than 30,000 suggested, just try to avoid the ones which are well known to be used by standard worm variations) most scanners in the net check ports 80, 8080 and 21 first of all.
You could also pass here the ZA log to see if some packets are blocked during your intended FTP transaction.
and just curious: Why do you use Zone Alarm which is an average soft firewall and not it's NAT firewall which is tailor made for it?
Check also your IP client log and see if your dyndns account gets updated regularly- some IP clients have issues with certain routers, while others are router specific. You can find quite a lot at dyndns.org site.

big_gie · Aug 29, 2003

sergio said:
Did you try to connect with IE using and external proxy ?

IE wont work either.

I don't have a proxy on my router. Just NAT (I think)

scarecrow said:
You could also pass here the ZA log to see if some packets are blocked during your intended FTP transaction.

The log isn't quite explaining... I just don't see anything "port 21" in ZAP log window... Maybe someone has a good log viewer for ZAP?

scarecrow said:
and just curious: Why do you use Zone Alarm which is an average soft firewall and not it's NAT firewall which is tailor made for it?

What do you suggest?

scarecrow said:
Check also your IP client log and see if your dyndns account gets updated regularly- some IP clients have issues with certain routers, while others are router specific. You can find quite a lot at dyndns.org site.

my dyndns is ok. My router is working ok with the dyndns option. I checked @ dyndns.org and the ip was good. I also tryed with my public IP.

VIPER_1069 · Aug 29, 2003

have you tried using flashfxp for an ftp client !?
in the options when setting up a site with site manager hit the options tab and try the following ...

tick bypass proxy server for this connection
and tick site uses IP Masq/NAT/None -routable Ip

see if these help !?

usually if i have probs with any ftp i use the IP Masq which usually does the trick

worth a try

big_gie · Aug 29, 2003

VIPER_1069 said:
have you tried using flashfxp for an ftp client !?
in the options when setting up a site with site manager hit the options tab and try the following ...

tick bypass proxy server for this connection
and tick site uses IP Masq/NAT/None -routable Ip

see if these help !?

usually if i have probs with any ftp i use the IP Masq which usually does the trick

worth a try

Just tryed SmartFTP (http://www.smartftp.com) and same thing... "Cannot connect to host"

sergio · Aug 29, 2003

IE wont work either.
I don't have a proxy on my router. Just NAT (I think)

I mean in IE setup, you can choose :
options > connections > lan parameters
then tick "use a proxy server for your local network"
in the address field you can use 66.119.34.38
in the port field you can use 80

it is a public external server somewhere on the internet providing proxy services
so you can test the access to your ftp server with IE

good luck

big_gie · Aug 29, 2003

sergio said:
I mean in IE setup, you can choose :
options > connections > lan parameters
then tick "use a proxy server for your local network"
in the address field you can use 66.119.34.38
in the port field you can use 80

it is a public external server somewhere on the internet providing proxy services
so you can test the access to your ftp server with IE

good luck

Ok tanks for the info

I connected to my university's account (telnet server) and opened a ftp session to my dyndns and voila, it was working...

But i still can't access it from here! It's weird... Why can't I send info from 192.168.1.2 (desktop) to 192.168.1.1 (router) to dyndns.org to < my public ip >???
If I go from 192.168.1.2 (desktop) to 192.168.1.1 (router) < university account > to dyndns.org to < my public ip > it is working...

weird...

ipdave · Aug 29, 2003

Can you ftp from your .2 desktop to the public WAN IP of your Netgear router?

Can you ftp from your .2 desktop to the ftp server (assume it is the same, .2)?

Are you trying only to ftp to the name of the dyndsn account, or have you tried the IP as above yet?

My Linksys has stateful packet inspection (SPI), so it is a true firewall and thinks I am spoofing a non-routable (192.168.X.X) IP and will not let me connect to the FQDN of my ftp server; however, I can connect internally by the 192.168.x.x ip to the 192.168.x.x ftp server IP. This is because there is no attempted spoofing by not going out to do a DNS lookup and get to the external WAN routable IP.

big_gie · Aug 29, 2003

ipdave said:
Can you ftp from your .2 desktop to the public WAN IP of your Netgear router?

My router doesn't have ftp...

ipdave said:
Can you ftp from your .2 desktop to the ftp server (assume it is the same, .2)?

I can:
ftp 192.168.1.2 (from 192.168.1.2)
ftp 192.168.1.2 (from 192.168.1.3 (laptop))
ftp 127.0.0.1 (from 192.168.1.2)
I can't
ftp mydyndns.dyndns.org (from anywhere on the LAN)
ftp PublicIpAddress (from anywhere on the LAN)
[/QUOTE]

ipdave said:
My Linksys has stateful packet inspection (SPI), so it is a true firewall and thinks I am spoofing a non-routable (192.168.X.X) IP and will not let me connect to the FQDN of my ftp server; however, I can connect internally by the 192.168.x.x ip to the 192.168.x.x ftp server IP. This is because there is no attempted spoofing by not going out to do a DNS lookup and get to the external WAN routable IP.

Maybe thats the cause... I can't find anything of "SPI" in the router's config, I'm checking right now on their web site. It's a "cheap" (wireless) router (Netgear MR814): I've paid 70 Canadian dollars for it (40 USD) last year. I think I've never been able to connect like this before... I've always used mydnsaccount.dyndns.org when I'm out and 192.168.1.2 when on the lan... maybe thats the reason...
tanx m8

I'll come back with the info on SPI...

big_gie · Aug 29, 2003

I checked the router's html datasheet @ http://www.netgear.com/products/details/MR814.asp?view=
but didn't see anything about SPI... Maybe I've didn't see it?

LTR12101B · Aug 29, 2003

You have 2 machines behind a NAT router?
You can FTP local by ip, FTP IN from outside, but not FTP out or out/in?

In NORMAL FTP - you connect out on 21 and the server connects to you on port 20 - and that incoming connect is a problem if NAT routing.

In PASV FTP - You connect out on port 21, and on an arbitrary port - great for passing OUT through NAT routing, but not so great if incoming.

If I've got it the right way round, connecting OUT to a public FTP using PASV should work, as should connecting IN to your server without using PASV.

I'm going crosseyed thinking about it!

big_gie · Aug 29, 2003

LTR12101B said:
I'm going crosseyed thinking about it!

hahaha

LTR12101B said:
You can FTP local by ip, FTP IN from outside, but not FTP out or out/in?

I cannot, from my desktop @ 192.168.1.2, connect with an ftp client to ****.dyndns.org witch should be the same desktop saw from outside (the router foward port 21 to 192.168.1.2) or connect with the same ftp client to my ip address (wich should be the same)