Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1781
  • Last Modified:

Problems with Passive mode on PROFTP behind firewall

I have a problem where I cannot connect to a proftp server in passive mode behind a firewall, the /var/messages file reports SECURITY VIOLATION: Passive connection from x.x.x.x rejected when the server tries to initiate passive mode.

Non passive mode connections are fine, but I have some customers who need passive mode.

I have set the passive ports directive in proftpd.conf, and ensured that the relevant ports are open on the firewall, but still can't get the server to do anything useful in passive mode. It eventually times out, saying that no transfer has taken place.

Please help.
0
dredmann
Asked:
dredmann
  • 3
  • 2
1 Solution
 
rcm9445Commented:
Try using tcp/ip wrappers to send the packets thru port 80 instead of port 23.
0
 
chris_calabreseCommented:
What kind of firewall do you have?  If it is a non-transparent application proxy such as Raptor, it may be chaning the aparent IP address of some of the packets.  This may be causing the security violation the software is complaining about.
0
 
dredmannAuthor Commented:
The firewall is by borderware.
The actual message reported is:

1.1.1.1 (gateway-ext.central.smartways.com[2.2.2.2]) - SECURITY VIOLATION: Passive connection from 3.3.3.3 rejected.


I've replaced the ip addresses for security reasons:
1.1.1.1 The host ftp server
2.2.2.2 IP of external side of clients firewall
3.3.3.3 IP of Internal side of our firewall

The ftp connection is being initiated inside the client's firewall.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
chris_calabreseCommented:
This is exactly the type of thing I was talking about.  The firewall intercepts the data traffic, making the ftp server see its IP address as the originating address for the packets.

The only way to solve this problem is to fix your firewall (or perhaps configure proftpd not to be concerned with this, but it's probably a problem for your clients too).
0
 
dredmannAuthor Commented:
Chris, how would you suggest that I go about making Proftp not care about the addresses getting changed?
0
 
chris_calabreseCommented:
Never used proftp, so I can't tell you.  However this firewall behavior is likely to cause problems for your clients too, so the real answer is fixing the firewall.  I'd contact the firewall vendor to see if they have a solution to this problem.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now