[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2396
  • Last Modified:

FTP error - Firewall or something else

I have one client who uses a Windows 2003 member server,Titan ftp server is installed on port 521 which is configured to allow passive mode.
Firewall is Symantec security gateway 360. I have created inbound security rules to allow ftp traffic on port 521
When i try to ftp from outside with filezilla as client i end up only with error "Transfer channel cant be opend" and in dos mode i am given error 425.

I tried to ftp on the memberserver itself - it works and i am able to see directory listing
I tried from an internal machine            - it works and i am able to see directory listing
tried from internal machine with public ip adress and port - this works too. this means that sgs 360 allows the traffic.

Only when i try from external computer with public ip adress on port 521 it give this error. Do i have to open some other ports on my sgs ? or where is it going wrong.

Thanks for you replies in anticipation  
0
shaju_devassy
Asked:
shaju_devassy
  • 16
  • 15
  • 2
1 Solution
 
Keith AlabasterCommented:
Normal FTP traffic uses ports 21 and 20. Have a look in the Symantec log file and you should see the transfer port being blocked and the number Titan is using for it.
0
 
shaju_devassyAuthor Commented:
Public external pc - 81.98.23.56
IP adress where Titan server is running - 83.262.35.16

sgs inbould rule allows tcp 520-521 traffic.

It seems that sgs 360 is allowing the ftp traffic from 81.98.23.56. I see blocked ip adress on port 520 ?
 
                                                             Source             destination
Blocked by Inbound Rules       82.151.41.156:520      82.151.41.255:520      UDP         
Blocked by Inbound Rules       82.151.38.114:520      82.151.38.255:520      UDP         
Blocked by Inbound Rules       82.151.43.209:520      82.151.43.255:520      UDP         
Blocked by Inbound Rules       82.151.33.64:520      82.151.33.255:520      UDP         
Allowed by Inbound Rules       81.98.23.56:33620      83.262.35.16:521      TCP         
Blocked by Inbound Rules       82.151.33.211:520      82.151.33.255:520      UDP         
Blocked by Inbound Rules       82.151.44.221:520      82.151.44.255:520      UDP         
Blocked by Inbound Rules       82.151.40.221:520      82.151.40.255:520      UDP         
Blocked by Inbound Rules       82.151.40.226:520      82.151.40.255:520      UDP         
Blocked by Inbound Rules       82.151.43.92:520      82.151.43.255:520      UDP         
Blocked by Inbound Rules       82.151.37.86:520      82.151.37.255:520      UDP         
Blocked by Inbound Rules       82.151.38.224:520      82.151.38.255:520      UDP         
Allowed by Inbound Rules       81.98.23.56:33620      83.262.35.16:521      TCP         
Blocked by Inbound Rules       82.151.36.54:520      82.151.36.255:520      UDP         
Allowed by Inbound Rules       81.98.23.56:34976      83.262.35.16:521      TCP         
Blocked by Inbound Rules       82.151.39.254:520      82.151.39.255:520      UDP         
Blocked by Inbound Rules       82.151.36.12:520      82.151.36.255:520      UDP       
0
 
Cyclops3590Commented:
Agreed. Also, try active mode connection (unless of course your ftp server won't allow that mode).  When you connect via passive mode you will first connect over 521 (normally 21/tcp) to establish the session however the client has to establish another port connection (usuually a high port in the 65000's) to do the actual data transfer.  This is where your firewall is blocking that traffic.  I'm not sure how your network is setup, but just because an internal machine can reference the public ip of the server wouldn't automatically make me believe the symantec firewall is working properly.

Follow keith's suggestion of looking at the logs, I'd bet money that you'll find some packets with high dest port numbers to the ftp servers from the source ip your trying to est. the ftp session
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
shaju_devassyAuthor Commented:
port 20 and 21 are also allowed by a inbound ftp rule in sgs which connects to iis.
0
 
Cyclops3590Commented:
520 udp looks like its the dest. port for a broadcast.  

you say that your ftp server is using passive mode.  did you setup a range of ips for the server to use for the passive connections.  you'll need to pass those thru the firewall as well.
0
 
shaju_devassyAuthor Commented:
Thanks for replies,
active mode connection does not work too.
i did set up ip adress 520 -521 tcp to be used.
I have setup access to all ip's by default. i did not setup up a specific range.

Shoud i allow udp 520 to be passed?
0
 
Cyclops3590Commented:
I wouldn't allow 520/udp unless you're positive it should be allowed.  however in the logs you can see its going to a broadcast IP so its most likely not data you want to allow.  also, ftp should always be using the tcp protocol.

can you do some ethereal packet captures on the external host.  at least what I do when i have firewall problems is look at packet captures and see where packets are showing up when expected and then they aren't showing up when expected.  It will help narrow down where the problem is and also which port is being blocked.  I'd also enable it on the ftp server if possible so you know that the server is receiving the requests and responding to them as well.
0
 
Keith AlabasterCommented:
You stated above you created a rule for 520-521 TCP however it looks like you need 521 TCP and 520 UDP
0
 
Cyclops3590Commented:
I'm still not convinced that 520/udp should be allowed here.  look at this page

http://www.auditmypc.com/port/udp-port-520.asp

also, ftp should always be over tcp connections, tftp is udp
0
 
shaju_devassyAuthor Commented:
As a test i installed a win2003 virtual server at home and installed Titan ftp server with port 521. This time i am sitting behind Draytek vigor 2200 vigor router. Port 521 tcp, 520 udp, 21 tcp is kept open. I am getting excatly same symptoms. I can ftp on server self, also from internal machine.

This is filezila error when i try from external machine.

Status:      Connecting to shaju.gotdns.com:521 ...
Status:      Connected with shaju.gotdns.com:521. Waiting for welcome message...
Response:      220 Titan FTP Server 5.12.337 Ready.
Command:      USER shaju
Response:      331 User name okay, need password.
Command:      PASS ******
Response:      230-Welcome shaju from 82.92.26.4. You are now logged in to the server.
Response:      230 User logged in, proceed.
Command:      FEAT
Response:      211-Extensions Supported
Response:       COMB
Response:       MLST type*;size*;modify*;create*;perm*;
Response:       SIZE
Response:       MDTM
Response:       XCRC
Response:       REST STREAM
Response:       EPRT
Response:       EPSV
Response:       DQTA
Response:      211 End
Command:      SYST
Response:      215 UNIX Type: L8
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      PASV
Response:      227 Entering Passive Mode (192,168,124,20,8,252).
Command:      TYPE A
Response:      200 Type set to A.
Command:      LIST
Response:      150 File status okay; about to open data connection.
Error:      Transfer channel can't be opened. Reason: Een verbindingspoging is mislukt omdat de verbonden party niet correct heeft geantwoord na een bepaalde tijd, of de gemaakte verbinding is mislukt omdat de verbonden host niet heeft geantwoord.
Error:      Could not retrieve directory listing
Command:      TYPE A
Response:      200 Type set to A.
0
 
Cyclops3590Commented:
well for one thing your ftp server is giving out your internal ip so that would definitely affect any chance of external users connecting to it via passive mode
0
 
shaju_devassyAuthor Commented:
Sorry, i didn't understand. Yes it's giving out internal ip adress
so that would definitely affect any chance of external users connecting to it via passive mode ?
0
 
shaju_devassyAuthor Commented:
Cyclops3590 , may i have your email adress.
I have made a capture from Ethereal, i will sent it across. Could you please have a look at it.

Thanks
0
 
Cyclops3590Commented:
not sure you need go do a capture for this yet.  can you reconfigure the ftp server to masquerade its address as the external IP instead of sending its internal IP.  At my company my server sends its internal IP but since we use a cisco firewall, it does ftp inspection and changes that info when going to outside.  

basically what i'm trying to get at is even if we can make the ftp server send its external ip address will that screw up internal hosts from connecting to it.

this is the way passive mode ftp works
client:XX/tcp --> server:21/tcp    --- create control session and requests passive mode
server:21/tcp --> client:XX/tcp --- server says ok, connect on (gives its IP and port); server then opens that port and listens on it
client:XX/tcp --> server:YY/tcp   --- create data path to IP:port combo server gave to client

since the IP and port information is in a packet that the server sends to the client you either need packet inspection like the cisco firewall my company has to change the IP that is in the packet or you need to make the ftp server know to send a different IP than the one that is binded to its interface.  I would like to try this first just to see if we can get external ftp working even if it breaks internal ftp.  this way we can remove the firewall as a potential problem at the very least.
do you know how to do this?
0
 
shaju_devassyAuthor Commented:
1.This if from External machine after
-------------------------------------
Status:      Connecting to shaju.gotdns.com:521 ...
Status:      Connected with shaju.gotdns.com:521. Waiting for welcome message...
Response:      220 Titan FTP Server 5.12.337 Ready.
Command:      USER shaju
Response:      331 User name okay, need password.
Command:      PASS ******
Response:      230-Welcome shaju from 82.92.26.4. You are now logged in to the server.
Response:      230 User logged in, proceed.
Command:      FEAT
Response:      211-Extensions Supported
Response:       COMB
Response:       MLST type*;size*;modify*;create*;perm*;
Response:       SIZE
Response:       MDTM
Response:       XCRC
Response:       REST STREAM
Response:       EPRT
Response:       EPSV
Response:       DQTA
Response:      211 End
Command:      SYST
Response:      215 UNIX Type: L8
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      PASV
Response:      227 Entering Passive Mode (82,151,37,209,11,19).
Command:      TYPE A
Response:      200 Type set to A.
Command:      LIST
Response:      150 File status okay; about to open data connection.
Error:      Transfer channel can't be opened. Reason: Een verbindingspoging is mislukt omdat de verbonden party niet correct heeft geantwoord na een bepaalde tijd, of de gemaakte verbinding is mislukt omdat de verbonden host niet heeft geantwoord.
Error:      Could not retrieve directory listing
Command:      PWD
Response:      257 "/" is current directory.

2. From an internal machine i tried from dos promt -
ftp
open ftp.shaju.gotdns.com 521

i can wel log in and see the dir listing

3.  From an internal machine i tried with filezilla in passive mode.

I got the same Transfer error as in 1.
0
 
shaju_devassyAuthor Commented:
May be i am missing some configuration in Titanftp server. Coz after the client communicates with ftp server on port 521, must later commuicate on a diffrent port for datatransfer so as you said.

client:XX/tcp --> server:YY/tcp   --- create data path to IP:port combo server gave to client

I think this is working or else the internal client also couldnt have made through.

May be you can install a trail version of Titanftp server on your environment and analyse for me what the problem cud be.

Thanks very much in anticipation.
0
 
Cyclops3590Commented:
try active mode from outside.  if i remember right the dos ftp client tries active first.  that should work (knock on wood)
0
 
shaju_devassyAuthor Commented:
knock on the wood didn't help.. dos mode hangs after
150 File status okay; about to open data connection.
0
 
Cyclops3590Commented:
from outside you mean?
0
 
Cyclops3590Commented:
is there anything in the firewall logs to help out
0
 
shaju_devassyAuthor Commented:
Yes i tried from outside.

i am now at a diffrent location i will give you more details about firewall logs when i am back home in 4hrs.

If you give me you mail adress, i will make necessary changes so that you can log on using rdp and look at settings on router and ftp server. May be then you have better view what's going wrong.

Thanks.
0
 
Cyclops3590Commented:
okay, my address is ee (at) satoamerica (dot) com

However, please either make a temporary acct that you plan to delete after I'm done or change your password to something else temporarily.  Not that I'd abuse your trust, but its just good security sense to do that.  you know, when it comes to system security trust no one.

The only items I'm really interested in is trying to ftp in to ensure I get the same results and do packet sniffing to ensure I know exactly what is going wrong and then checking that with the firewall logs and packet sniffing on the ftp server.
0
 
shaju_devassyAuthor Commented:
ok, thanks you will receive email from me after 4hrs.
0
 
Cyclops3590Commented:
keep in mind that's 1pm for me so I might not get to it until later in the day.
0
 
shaju_devassyAuthor Commented:
hv send mail
0
 
Cyclops3590Commented:
have it....work is slow so I'm looking at it now.  I might need to have an ftp account though.   will let you know if it comes to that though.
0
 
shaju_devassyAuthor Commented:
i see you have made one tempuser. Yes indeed it's slow because it's virtual server running on my machine with 512mb ram.
0
 
Cyclops3590Commented:
ya sorry i didn't wait for your reply to say it was okay, i'm trying to run ethereal right now.  quick question, when you tried an active mode connection before was that host behind a firewall because I'm guessing that's why that would have failed.
0
 
shaju_devassyAuthor Commented:
yes, i tried from my office network which also has similar draytek. with similar settings as firewall
0
 
Cyclops3590Commented:
ya i think that's what caused active to fail.  when looking at the nat active sessions on your firewall and me trying to connect active mode i could see that your ftp server was trying to connect to me however my side never received any packets so i'm guessing my firewall blocked that.

however when I tried to connect passively i saw mine trying to connect to you, but there was no entry in the nat active sessions stating that your firewall was letting that traffic go back thru.

i know i saw an option to force your ftp server to choose a range of ips to draw ports from for pasv mode.  make that range >65000

then try to have your firewall redirect those ports to your internal server.

also, change your passwords.  i have removed the tempuser acct I had created.
0
 
shaju_devassyAuthor Commented:
1. i gave access to all ip adress as default.
2. gave port range in ftp server.
2. opend port 1024 till 65000 as you said.

Hoeraaa it works, you are very good.

Thanks very much for your great help.
0
 
Cyclops3590Commented:
actually you should do 65000 til 65535

those ports are virtually never used and thus won't have side effects to forwarding those ports
0
 
shaju_devassyAuthor Commented:
ok, thanks
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 16
  • 15
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now