Solved

FTP & Firewall problem. Can connect but no data transfer

Posted on 2006-06-23
11
610 Views
Last Modified: 2013-11-16
Ok,
This one is kicking my ass. Here is the  background.


FTP->Windows XP -> XP FireWall ->Linksys BEFSR41-> INTERNET -> Linux Box

I can connect to the linux box but an ls will hang.  Port 21 is for control data and Port 20 is for data. I realize this is a classic firewall issue.

Here is what I tried:

#1. Try passive mode(PASV) -  Same problem.

#2. Remapp port 20 & 21 on the Linksys to the Windows XP IP address  - Same problem

#3. Turn off XP firewall in  conjunction with #2. - Same problem.


Bringing down the firewall on the Linksys or putting the machine as A DMZ is not an option, too much risk.

Question :

1) Am I missing any steps? Did I not remap the port correctly?

2) Any way to debug this further.

I could have screwed up with #2.

--thanks

0
Comment
Question by:squat_rack
  • 5
  • 3
  • 2
11 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 300 total points
ID: 16971765
Well maybe. When using Active ftp ("port 20") the connection is "backwards".  That is the client listens on port 20 and the server initiates the connection to the client.  Here are the basic flows:

Control Session:
Server                         Client
21    <-- TCP      --       ">1023"
21      -- TCP/ACK-->    ">1023"

Data Sesssion "Active"
Server                              Client
">1023"      -- TCP       -->   20
">1023"    <-- TCP/ACK--     20


Data Sesssion "Passive
Server                           Client
">1023"    <-- TCP     --      ">1023"
">1023"    -- TCP/ACK-->     ">1023"


Now, are you running IPTABLES on the Linux box?  Do you have it setup to allow it to be an FTP server?
0
 

Author Comment

by:squat_rack
ID: 16972037
I am running IPTABLES and it is an ftp server.   I should have ponited out, couldn't figure out how to update, that  I have been able to successfully ftp from a different  windows XP machine with a different provider onto the Linux box.  I also for kicks turned off the firewall on the Linux box and could not get the current XP machine to ftp.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 300 total points
ID: 16972299
O.K.  to make sure I get this straight, with the new information:


   XP#1 <---> Linksys BEFSR41 <-----> Internet <----> Linux
                                                           /\
                                                           |
                                                           |
                                                           \/
                                                        XP#2


You are attempting to ftp using XP#1 as the client and Linux as the server and this will not work at all.
Using XP#2 as the ftp client and Linux as the server works.

How is the Linux box connected to the Internet?

You should not have to do anything with port 21 mapping back to the Windows box.  Port mapping generally is only for inbound traffic that is initated externally (does that make sense?).  That is, you would need to map port 21 to the Windows box if you were trying to use it as a ftp server.

You may or may not have to map port 20.  As I stated before, when using active ftp, the client (your XP box in this case) actually listens on port 20 and so this would be inbound traffic that is inititated externally.

For passive ftp you should not need to do anything, as you are initiating the traffic outbound.

0
 

Author Comment

by:squat_rack
ID: 16972362
Your diagram is correct. except there is a Windows firewall on the XP#1 box.

XP#1->Windows Firewall <--> Linksys BEFSR41

 from XP #1 I CAN connect but can't send or recieve data.  The linux box is off a DSL router. The DMZ is diabled on the DSL router and I"m using IPTABLES to protect the Linux box.

Thanks for clearing up the port mapping.  

So you are saying is that basically it should work without any fiddling with the  Linksys if I use passive FTP?

IF I can connect but can't send data,, it tells me that the Linux box is not able to get through the firewall right? I sthere a way I can debug from the windows box. Is there an open source debug tool?

--thanks

0
 
LVL 57

Expert Comment

by:giltjr
ID: 16972554
If using passive, then you should not have to change anything on your side.   The linux side (meaning the Linux system itself and any firewalls in front of it) is what has to be setup properly for this.

Wireshark is a free packet sniffer (http://www.wireshark.org).  It is sort of new, but not really.  Wireshark is the new name of Ethereal (http://www.ethereal.com).  

For windows, go ahead and get Wireshark. For the Linux side if you normally use rpm's to install/manage software then I would suggest getting Ethereal for the Linux box.  If you are used to tar files and doing configure/make/make installs. then you can go ahead and get Wireshark for the Linux box.

Debuging from the Windows box only will be a bit tough.  For passive transfer all you will be able to tell is if you sent the SYN out to intitate the data connection on the correct port.  You have to assume that it went all the way out to the Linux box.

Is there any firewall on the DSL modem?  Normally there is not, but I have seen some (targeted toward SMBs) that do.

0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:squat_rack
ID: 16972635
I'll try your suggestions and let you know. There was a firewall on the DSL however it has been disabled.

0
 
LVL 9

Expert Comment

by:jabiii
ID: 16985284
great ftp explained site.
http://slacksite.com/other/ftp.html
0
 

Author Comment

by:squat_rack
ID: 17163399
Ok an update. This took me a while but what I have done is narrowed the problem to be with the ISP. Basically I removed the Linksys router from the equation. I connect my notebook(Windows XP) directly to the ISP. Got an dynamic IP via DHCP. I was still not able to ftp data.

The ISP had previously told me they weren't blocking ports. I may still have a problem with Linksys howerver I KNOW there is a problem with the ISP. I have sent them an email. Let's  see..
Thank you for all your assistance.

Hm
0
 

Author Comment

by:squat_rack
ID: 17163403
I have awared the points as the answeres where good and reninforced my shakey understanding.

--thanks
0
 
LVL 9

Expert Comment

by:jabiii
ID: 17167409
Hope you read the link I posted. It will help further your understanding.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now