Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 691
  • Last Modified:

FTP & Firewall problem. Can connect but no data transfer

Ok,
This one is kicking my ass. Here is the  background.


FTP->Windows XP -> XP FireWall ->Linksys BEFSR41-> INTERNET -> Linux Box

I can connect to the linux box but an ls will hang.  Port 21 is for control data and Port 20 is for data. I realize this is a classic firewall issue.

Here is what I tried:

#1. Try passive mode(PASV) -  Same problem.

#2. Remapp port 20 & 21 on the Linksys to the Windows XP IP address  - Same problem

#3. Turn off XP firewall in  conjunction with #2. - Same problem.


Bringing down the firewall on the Linksys or putting the machine as A DMZ is not an option, too much risk.

Question :

1) Am I missing any steps? Did I not remap the port correctly?

2) Any way to debug this further.

I could have screwed up with #2.

--thanks

0
squat_rack
Asked:
squat_rack
  • 5
  • 3
  • 2
2 Solutions
 
giltjrCommented:
Well maybe. When using Active ftp ("port 20") the connection is "backwards".  That is the client listens on port 20 and the server initiates the connection to the client.  Here are the basic flows:

Control Session:
Server                         Client
21    <-- TCP      --       ">1023"
21      -- TCP/ACK-->    ">1023"

Data Sesssion "Active"
Server                              Client
">1023"      -- TCP       -->   20
">1023"    <-- TCP/ACK--     20


Data Sesssion "Passive
Server                           Client
">1023"    <-- TCP     --      ">1023"
">1023"    -- TCP/ACK-->     ">1023"


Now, are you running IPTABLES on the Linux box?  Do you have it setup to allow it to be an FTP server?
0
 
squat_rackAuthor Commented:
I am running IPTABLES and it is an ftp server.   I should have ponited out, couldn't figure out how to update, that  I have been able to successfully ftp from a different  windows XP machine with a different provider onto the Linux box.  I also for kicks turned off the firewall on the Linux box and could not get the current XP machine to ftp.
0
 
giltjrCommented:
O.K.  to make sure I get this straight, with the new information:


   XP#1 <---> Linksys BEFSR41 <-----> Internet <----> Linux
                                                           /\
                                                           |
                                                           |
                                                           \/
                                                        XP#2


You are attempting to ftp using XP#1 as the client and Linux as the server and this will not work at all.
Using XP#2 as the ftp client and Linux as the server works.

How is the Linux box connected to the Internet?

You should not have to do anything with port 21 mapping back to the Windows box.  Port mapping generally is only for inbound traffic that is initated externally (does that make sense?).  That is, you would need to map port 21 to the Windows box if you were trying to use it as a ftp server.

You may or may not have to map port 20.  As I stated before, when using active ftp, the client (your XP box in this case) actually listens on port 20 and so this would be inbound traffic that is inititated externally.

For passive ftp you should not need to do anything, as you are initiating the traffic outbound.

0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
squat_rackAuthor Commented:
Your diagram is correct. except there is a Windows firewall on the XP#1 box.

XP#1->Windows Firewall <--> Linksys BEFSR41

 from XP #1 I CAN connect but can't send or recieve data.  The linux box is off a DSL router. The DMZ is diabled on the DSL router and I"m using IPTABLES to protect the Linux box.

Thanks for clearing up the port mapping.  

So you are saying is that basically it should work without any fiddling with the  Linksys if I use passive FTP?

IF I can connect but can't send data,, it tells me that the Linux box is not able to get through the firewall right? I sthere a way I can debug from the windows box. Is there an open source debug tool?

--thanks

0
 
giltjrCommented:
If using passive, then you should not have to change anything on your side.   The linux side (meaning the Linux system itself and any firewalls in front of it) is what has to be setup properly for this.

Wireshark is a free packet sniffer (http://www.wireshark.org).  It is sort of new, but not really.  Wireshark is the new name of Ethereal (http://www.ethereal.com).  

For windows, go ahead and get Wireshark. For the Linux side if you normally use rpm's to install/manage software then I would suggest getting Ethereal for the Linux box.  If you are used to tar files and doing configure/make/make installs. then you can go ahead and get Wireshark for the Linux box.

Debuging from the Windows box only will be a bit tough.  For passive transfer all you will be able to tell is if you sent the SYN out to intitate the data connection on the correct port.  You have to assume that it went all the way out to the Linux box.

Is there any firewall on the DSL modem?  Normally there is not, but I have seen some (targeted toward SMBs) that do.

0
 
squat_rackAuthor Commented:
I'll try your suggestions and let you know. There was a firewall on the DSL however it has been disabled.

0
 
jabiiiCommented:
great ftp explained site.
http://slacksite.com/other/ftp.html
0
 
squat_rackAuthor Commented:
Ok an update. This took me a while but what I have done is narrowed the problem to be with the ISP. Basically I removed the Linksys router from the equation. I connect my notebook(Windows XP) directly to the ISP. Got an dynamic IP via DHCP. I was still not able to ftp data.

The ISP had previously told me they weren't blocking ports. I may still have a problem with Linksys howerver I KNOW there is a problem with the ISP. I have sent them an email. Let's  see..
Thank you for all your assistance.

Hm
0
 
squat_rackAuthor Commented:
I have awared the points as the answeres where good and reninforced my shakey understanding.

--thanks
0
 
jabiiiCommented:
Hope you read the link I posted. It will help further your understanding.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now