Solved

FTP Active, w/Firewall

Posted on 2003-11-18
10
783 Views
Last Modified: 2013-11-29
I am running a CuteFTP server behind a SonicWall Firewall.  All of my clents can connect to my FTP server and send files, except one.  I am not sure if the others are using passive or active, but I know that this one can only use active (because that is all their DOS and UNIX clients support).  Any rate, they can log in, but basically nothing else, not even LS.  They were able to use our third party ftp server, which was hosted on a public IP, but this one, like I said, is behind our SonicWall, which we have opened up for FTP.  I can connect to this server fine from home from behind my Netgear Cable-Router/Firewall with active ftp.  
I can replicate this problem by ftping to my server via the public address to it from my LAN (the server is in the DMZ).  Am I missing something?  shouldn't active work?
0
Comment
Question by:jagoodie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 7

Expert Comment

by:Robing66066
ID: 9771401
Did you open port 20 on both sides?  Being able to log into an FTP server but not do anything is a classic symptom of missing port 20.
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9771405
(That would include on her equipment as well)
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9771406
(That would include on her equipment as well)
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 3

Expert Comment

by:_tack
ID: 9771466
As far as I know, the passive FTP has been created as workaround to some firewall.

FTP active:
- control connection is build from client  (client connects to FTP server)
- data connection is build from server (FTP Server connects to client).
Do you allow building connections from your DMZ zone to outside world ?, does the client side have a firewall ?
check with other non firewalled ftp servers.

FTP passive:
- control connection is build from client
- data connection is build from client
Normally you need a stateful inspection firewall, that allows incoming connections on
particular ports as connections are established.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9771906
Active FTP needs both port 20 and 21.  One for control, the other for data.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9771930
One classic issue for having an FTP server behind a firewall is the NAT issue.  With active FTP, interaction to establish a link includes the IP address of the server.  If your FTP server is NATted, then the active client will become confused as to where the data should be sent.
0
 
LVL 2

Author Comment

by:jagoodie
ID: 9781532
Yes, this server is NATed.  The server has a section for entering in the public IP for Passive transfers, but not Active... shouldnt it?  
Is the only way to do this to put the server on the public IP address?  That just isn't acceptable... we have SSN's in our files being uploaded..
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 500 total points
ID: 9782686
Can you put an FTP proxy on your firewall?  FTP Proxy will likely work where NAT will fail, and is much more secure anyway.
0
 
LVL 2

Author Comment

by:jagoodie
ID: 9788513
i wish.. no sonicwall doesn't have that feature.  we wouldnt have to use nat, but our isp gave us non consecutive IPs, so we have a suboptimal configuration
0
 
LVL 2

Author Comment

by:jagoodie
ID: 10859436
The problem was because our ISP had given us non-consecutive IP addresses, and the NAT on the sonicwall didn't want to use the same gateway for a different network.  Compex.. but we had them change our addresses to be consecutive, and all is well now.
Thanks for your help.
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question