Errors trying to connect to ftp server through Watchguard X700 firewall
I'm trying to setup an ftp server to upload a few gigs worth of images. I've setup the server using Cerberus FTP server on a 2003 server. I set the policy on the Watchguard to allow From: Any incoming traffic To: external IP->internal ftp server IP and outgoing from: Any to: Any. I can connect to the ftp server while inside the Watchguard and upload and download files fine. When I'm outside of the firewall I seem to connect to the FTP server fine but I get a few error messages and I cannot do anything while I'm connected. I've attached the error I receive when I connect anonymously via IE and what I get when I try connecting using filezilla ftp client. I've also attached the screen log of the Cerberus FTP server.
I've given everyone full access to the ftp root folder on the server.
Everything seems to be pointing to the Watchguard but I don't know that much about them to really know for sure.
ftperror.jpg
ftp.txt
LOG-2008-10-27-140232.txt
I've given everyone full access to the ftp root folder on the server.
Everything seems to be pointing to the Watchguard but I don't know that much about them to really know for sure.
ftperror.jpg
ftp.txt
LOG-2008-10-27-140232.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For these purposes I use my own custom FTP filter definition instead of the built in FTP definition. This way I can put all of the necessary ports into the same rule. FTP doesn't use UDP connections, so you can omit that. See my rules in the picture below. I used different ports on this particular configuration because a different application was using a port in the 6000 - 6010 range, but the actual port numbers do not matter as long as they dont conflict with anything else and they match the configuration of the server.
Your incoming properties look correct as long as those are the correct IP addresses for the outside interface of the firebox and the IP address of your FTP server.
Try getting rid of the FTP service altogether in the firebox rules and create a custom rule for this purpose similar to the one in the picture attached. Instead of port 666, use port 21 for your default configuration. I simply changed mine from the default config for better security.
Picture-1.jpg
Your incoming properties look correct as long as those are the correct IP addresses for the outside interface of the firebox and the IP address of your FTP server.
Try getting rid of the FTP service altogether in the firebox rules and create a custom rule for this purpose similar to the one in the picture attached. Instead of port 666, use port 21 for your default configuration. I simply changed mine from the default config for better security.
Picture-1.jpg
Just as an aside, you might also need to restart the FTP services for your configuration changes to take effect.
Also, just to get the simple stuff out of the way, I have to ask, have you uploaded your config to the firebox after you changed it?
Also, just to get the simple stuff out of the way, I have to ask, have you uploaded your config to the firebox after you changed it?
ASKER
That seemed to do the trick. I'm uploading and downloading files. Do you have any suggestions for a good open source ftp server app? The uploads and download speeds seem pretty slow and during uploads it will error out saying i don't have permissions and then start uploading again. Using filezilla it will start uploading and I can see on the cerberus server side a few errors like 425 unable to open the data connection, unable to accept passive connection. Then it will accept passive connection and continue uploading files. Using IE to upload the files it just errors out in the middle of the transfer.
I have to give this ftp site out to multiple users that range from tech savvy to pencil and paper savvy so I want to make it as easy as possible (click and drag) most likely using IE on their end.
I have to give this ftp site out to multiple users that range from tech savvy to pencil and paper savvy so I want to make it as easy as possible (click and drag) most likely using IE on their end.
ASKER
I just installed and setup filezilla server. After a few tweaks and setting/port adjustments it seems to be running a lot better than cerberos. I've been uploading files from filezilla client to the server for about 30 min with no break in communication.
If you're running Windows server, I do recommend Filezilla. I've had good luck with it. Sounds like everything is working well for you now, yes?
ASKER
Yep, looks like its going well now. I'm seeing users connect to it and transferring data. Thanks a lot for your help!
ASKER
Thanks again, perfect explanation and easy to understand.
ASKER
pasv1.JPG
pasv2.JPG
pasv3.JPG
cerbos-ports.JPG