Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 792
  • Last Modified:

FTP Active, w/Firewall

I am running a CuteFTP server behind a SonicWall Firewall.  All of my clents can connect to my FTP server and send files, except one.  I am not sure if the others are using passive or active, but I know that this one can only use active (because that is all their DOS and UNIX clients support).  Any rate, they can log in, but basically nothing else, not even LS.  They were able to use our third party ftp server, which was hosted on a public IP, but this one, like I said, is behind our SonicWall, which we have opened up for FTP.  I can connect to this server fine from home from behind my Netgear Cable-Router/Firewall with active ftp.  
I can replicate this problem by ftping to my server via the public address to it from my LAN (the server is in the DMZ).  Am I missing something?  shouldn't active work?
0
jagoodie
Asked:
jagoodie
  • 3
  • 3
  • 3
  • +1
1 Solution
 
Robing66066Commented:
Did you open port 20 on both sides?  Being able to log into an FTP server but not do anything is a classic symptom of missing port 20.
0
 
Robing66066Commented:
(That would include on her equipment as well)
0
 
Robing66066Commented:
(That would include on her equipment as well)
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
_tackCommented:
As far as I know, the passive FTP has been created as workaround to some firewall.

FTP active:
- control connection is build from client  (client connects to FTP server)
- data connection is build from server (FTP Server connects to client).
Do you allow building connections from your DMZ zone to outside world ?, does the client side have a firewall ?
check with other non firewalled ftp servers.

FTP passive:
- control connection is build from client
- data connection is build from client
Normally you need a stateful inspection firewall, that allows incoming connections on
particular ports as connections are established.
0
 
ShineOnCommented:
Active FTP needs both port 20 and 21.  One for control, the other for data.
0
 
ShineOnCommented:
One classic issue for having an FTP server behind a firewall is the NAT issue.  With active FTP, interaction to establish a link includes the IP address of the server.  If your FTP server is NATted, then the active client will become confused as to where the data should be sent.
0
 
jagoodieAuthor Commented:
Yes, this server is NATed.  The server has a section for entering in the public IP for Passive transfers, but not Active... shouldnt it?  
Is the only way to do this to put the server on the public IP address?  That just isn't acceptable... we have SSN's in our files being uploaded..
0
 
ShineOnCommented:
Can you put an FTP proxy on your firewall?  FTP Proxy will likely work where NAT will fail, and is much more secure anyway.
0
 
jagoodieAuthor Commented:
i wish.. no sonicwall doesn't have that feature.  we wouldnt have to use nat, but our isp gave us non consecutive IPs, so we have a suboptimal configuration
0
 
jagoodieAuthor Commented:
The problem was because our ISP had given us non-consecutive IP addresses, and the NAT on the sonicwall didn't want to use the same gateway for a different network.  Compex.. but we had them change our addresses to be consecutive, and all is well now.
Thanks for your help.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now