?
Solved

FTP connection problems

Posted on 2004-09-15
6
Medium Priority
?
167 Views
Last Modified: 2013-12-04
Hello Everybody,
                          I am running windows 2003 server with IIS 6.0 installed. I recently enabled TCP/IP filtering on the server and have kept open only the commonly used ports like 20,21,80, etc. Now the problem that I am facing is that whenever somebody tries to connect to the FTP using the Passive mode, then the user does not get the directory or file listing. When the user switches to PORT mode, then he is able to connect. Is there any way to allow passive mode without disturbing the existing settings.

Awaiting an early reply.

Thanks

Regards

Hiren Shah
0
Comment
Question by:HirenhShah
  • 2
3 Comments
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12072681
Your problem may lie in your TCP/IP filtering.  

Assuming you are using the default FTP port of 21...  When the client tries to initiate a PASV command, the server may assign a data transmission port (random) that your TCP filter is blocking.... therefore the client will make the control channel connection (on port 21) but then not receive anything on the data channel since your filtering is blocking the server from transmitting.  This would explain why when your client uses the PORT command (instead of PASV), it works - since the control channel (port 21) and the data channel (port 20) are not being blocked by the filter.

The TCP/IP filtering security you have implemented is a double-edged sword for PASV FTP.  You may be able to assign a static port for PASV transfers in IIS but that would be that same as running the client in PORT mode... static control and data channels.  In addition, by default IIS 6 uses ports 1024-5000 for PASV port assignment so by opening those ports up in TCP/IP filtering it will work - but then having all those ports open kinda defeats the purpose of TCP/IP filtering anyways.

If you have a small number of users, you may open up just a few high ports for PASV requests (like 1024-1030).  You'd need to open those ports in TCP/IP filtering and setup IIS to use that range.... http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_CFG_18.mspx
0
 

Author Comment

by:HirenhShah
ID: 12081610
Hello,
           Well I have understood that unless I keep the port range 1024-5000 open for outside connections, nobody can connect to the FTP in PASV mode. However I am not very keen to keep these ports open. Can you suggest me what is the best way, i.e., should I keep the ports open or closed ?

Thanks

Regards

Hiren Shah
0
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 800 total points
ID: 12083437
Well with TCP/IP filtering (instead of using a firewall), I wouldn't leave all those ports available for external connections.  But if you really need your users to have PASV FTP, you can limit IIS to use only a certain amount of ports for PASV connections.

...If you have a small number of users, you may open up just a few high ports for PASV requests (like 1024-1030).  You'd need to open those ports in TCP/IP filtering and setup IIS to use that range.... http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_CFG_18.mspx ...

Like I showed in my previous post... you can open up as little or more ports up for IIS - in my example, you can open up ports 1024-1030 in TCP/IP filtering and then restrict IIS to use only those ports (follow the link posted and read the instructions on how to restrict IIS ports).  This way only 6 people can use PASV at a time but you won't have to leave 4000 ports open to the outside.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Suggested Courses
Course of the Month15 days, 5 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question