Solved

FTP Active, w/Firewall

Posted on 2003-11-18
10
773 Views
Last Modified: 2013-11-29
I am running a CuteFTP server behind a SonicWall Firewall.  All of my clents can connect to my FTP server and send files, except one.  I am not sure if the others are using passive or active, but I know that this one can only use active (because that is all their DOS and UNIX clients support).  Any rate, they can log in, but basically nothing else, not even LS.  They were able to use our third party ftp server, which was hosted on a public IP, but this one, like I said, is behind our SonicWall, which we have opened up for FTP.  I can connect to this server fine from home from behind my Netgear Cable-Router/Firewall with active ftp.  
I can replicate this problem by ftping to my server via the public address to it from my LAN (the server is in the DMZ).  Am I missing something?  shouldn't active work?
0
Comment
Question by:jagoodie
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 7

Expert Comment

by:Robing66066
ID: 9771401
Did you open port 20 on both sides?  Being able to log into an FTP server but not do anything is a classic symptom of missing port 20.
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9771405
(That would include on her equipment as well)
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9771406
(That would include on her equipment as well)
0
 
LVL 3

Expert Comment

by:_tack
ID: 9771466
As far as I know, the passive FTP has been created as workaround to some firewall.

FTP active:
- control connection is build from client  (client connects to FTP server)
- data connection is build from server (FTP Server connects to client).
Do you allow building connections from your DMZ zone to outside world ?, does the client side have a firewall ?
check with other non firewalled ftp servers.

FTP passive:
- control connection is build from client
- data connection is build from client
Normally you need a stateful inspection firewall, that allows incoming connections on
particular ports as connections are established.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9771906
Active FTP needs both port 20 and 21.  One for control, the other for data.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 35

Expert Comment

by:ShineOn
ID: 9771930
One classic issue for having an FTP server behind a firewall is the NAT issue.  With active FTP, interaction to establish a link includes the IP address of the server.  If your FTP server is NATted, then the active client will become confused as to where the data should be sent.
0
 
LVL 2

Author Comment

by:jagoodie
ID: 9781532
Yes, this server is NATed.  The server has a section for entering in the public IP for Passive transfers, but not Active... shouldnt it?  
Is the only way to do this to put the server on the public IP address?  That just isn't acceptable... we have SSN's in our files being uploaded..
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 500 total points
ID: 9782686
Can you put an FTP proxy on your firewall?  FTP Proxy will likely work where NAT will fail, and is much more secure anyway.
0
 
LVL 2

Author Comment

by:jagoodie
ID: 9788513
i wish.. no sonicwall doesn't have that feature.  we wouldnt have to use nat, but our isp gave us non consecutive IPs, so we have a suboptimal configuration
0
 
LVL 2

Author Comment

by:jagoodie
ID: 10859436
The problem was because our ISP had given us non-consecutive IP addresses, and the NAT on the sonicwall didn't want to use the same gateway for a different network.  Compex.. but we had them change our addresses to be consecutive, and all is well now.
Thanks for your help.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now