FTP connection problems

Hello Everybody,
                          I am running windows 2003 server with IIS 6.0 installed. I recently enabled TCP/IP filtering on the server and have kept open only the commonly used ports like 20,21,80, etc. Now the problem that I am facing is that whenever somebody tries to connect to the FTP using the Passive mode, then the user does not get the directory or file listing. When the user switches to PORT mode, then he is able to connect. Is there any way to allow passive mode without disturbing the existing settings.

Awaiting an early reply.

Thanks

Regards

Hiren Shah
HirenhShahAsked:
Who is Participating?
 
LimeSMJConnect With a Mentor Commented:
Well with TCP/IP filtering (instead of using a firewall), I wouldn't leave all those ports available for external connections.  But if you really need your users to have PASV FTP, you can limit IIS to use only a certain amount of ports for PASV connections.

...If you have a small number of users, you may open up just a few high ports for PASV requests (like 1024-1030).  You'd need to open those ports in TCP/IP filtering and setup IIS to use that range.... http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_CFG_18.mspx ...

Like I showed in my previous post... you can open up as little or more ports up for IIS - in my example, you can open up ports 1024-1030 in TCP/IP filtering and then restrict IIS to use only those ports (follow the link posted and read the instructions on how to restrict IIS ports).  This way only 6 people can use PASV at a time but you won't have to leave 4000 ports open to the outside.
0
 
LimeSMJCommented:
Your problem may lie in your TCP/IP filtering.  

Assuming you are using the default FTP port of 21...  When the client tries to initiate a PASV command, the server may assign a data transmission port (random) that your TCP filter is blocking.... therefore the client will make the control channel connection (on port 21) but then not receive anything on the data channel since your filtering is blocking the server from transmitting.  This would explain why when your client uses the PORT command (instead of PASV), it works - since the control channel (port 21) and the data channel (port 20) are not being blocked by the filter.

The TCP/IP filtering security you have implemented is a double-edged sword for PASV FTP.  You may be able to assign a static port for PASV transfers in IIS but that would be that same as running the client in PORT mode... static control and data channels.  In addition, by default IIS 6 uses ports 1024-5000 for PASV port assignment so by opening those ports up in TCP/IP filtering it will work - but then having all those ports open kinda defeats the purpose of TCP/IP filtering anyways.

If you have a small number of users, you may open up just a few high ports for PASV requests (like 1024-1030).  You'd need to open those ports in TCP/IP filtering and setup IIS to use that range.... http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_CFG_18.mspx
0
 
HirenhShahAuthor Commented:
Hello,
           Well I have understood that unless I keep the port range 1024-5000 open for outside connections, nobody can connect to the FTP in PASV mode. However I am not very keen to keep these ports open. Can you suggest me what is the best way, i.e., should I keep the ports open or closed ?

Thanks

Regards

Hiren Shah
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.