TCP/IP filtering and FTP

What ports and protocols should I enable in TCP/IP filtering for the FTP
service to work?
Also the server must be able to make outgoing connections to other FTP
servers.

21

--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

"George Valkov" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> What ports and protocols should I enable in TCP/IP filtering for the FTP
> service to work?
> Also the server must be able to make outgoing connections to other FTP
> servers.
>
>
>

If TCP 21 was enough, I wouldn't even post that topic here!
As far as I know both TCP 20 and TCP 21 are required for the FTP session to
work. But if I tell the filter to enable only these ports I can't access the
FTP service locally and I cannot connect to remote FTP servers.

I have another server - HTTP with only TCP 80 open and it works fine!



"Robert L [MS-MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> 21
>
> --
> For more and other information, go to http://www.ChicagoTech.net
>
> Don't send e-mail or reply to me except you need consulting services.
> Posting on MS newsgroup will benefit all readers and you may get more
help.
>
> Robert Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
> http://www.ChicagoTech.net
> This posting is provided "AS IS" with no warranties.
>
> "George Valkov" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > What ports and protocols should I enable in TCP/IP filtering for the FTP
> > service to work?
> > Also the server must be able to make outgoing connections to other FTP
> > servers.
> >
> >
> >
>
>

"George Valkov" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> If TCP 21 was enough, I wouldn't even post that topic here!
> As far as I know both TCP 20 and TCP 21 are required for the FTP session
to
> work. But if I tell the filter to enable only these ports I can't access
the
> FTP service locally and I cannot connect to remote FTP servers.
>
> I have another server - HTTP with only TCP 80 open and it works fine!
>
>
>
> "Robert L [MS-MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > 21
> >
> > --
> > For more and other information, go to http://www.ChicagoTech.net
> >
> > Don't send e-mail or reply to me except you need consulting services.
> > Posting on MS newsgroup will benefit all readers and you may get more
> help.
> >
> > Robert Lin, MS-MVP, MCSE & CNE
> > Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting
on
> > http://www.ChicagoTech.net
> > This posting is provided "AS IS" with no warranties.
> >
> > "George Valkov" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > What ports and protocols should I enable in TCP/IP filtering for the
FTP
> > > service to work?
> > > Also the server must be able to make outgoing connections to other FTP
> > > servers.

Open TCP 20 & 21 inbound. As for external connections, your router/firewall
or the ICF will allow any traffic originating from the machine to go out,
so you need not worry about that.


--
Todd J Heron, MCSE
Windows 2003/2000/NT

I am asking about TCP/IP filtering, and not ICF!


"Todd J Heron" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "George Valkov" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > If TCP 21 was enough, I wouldn't even post that topic here!
> > As far as I know both TCP 20 and TCP 21 are required for the FTP session
> to
> > work. But if I tell the filter to enable only these ports I can't access
> the
> > FTP service locally and I cannot connect to remote FTP servers.
> >
> > I have another server - HTTP with only TCP 80 open and it works fine!
> >
> >
> >
> > "Robert L [MS-MVP]" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > 21
> > >
> > > --
> > > For more and other information, go to http://www.ChicagoTech.net
> > >
> > > Don't send e-mail or reply to me except you need consulting services.
> > > Posting on MS newsgroup will benefit all readers and you may get more
> > help.
> > >
> > > Robert Lin, MS-MVP, MCSE & CNE
> > > Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting
> on
> > > http://www.ChicagoTech.net
> > > This posting is provided "AS IS" with no warranties.
> > >
> > > "George Valkov" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > What ports and protocols should I enable in TCP/IP filtering for the
> FTP
> > > > service to work?
> > > > Also the server must be able to make outgoing connections to other
FTP
> > > > servers.
>
> Open TCP 20 & 21 inbound. As for external connections, your
router/firewall
> or the ICF will allow any traffic originating from the machine to go out,
> so you need not worry about that.
>
>
> --
> Todd J Heron, MCSE
> Windows 2003/2000/NT
>
>

"George Valkov" <(E-Mail Removed)> wrote in message
news:ulq%(E-Mail Removed)...
> I am asking about TCP/IP filtering, and not ICF!
>
>
> "Todd J Heron" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > "George Valkov" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > If TCP 21 was enough, I wouldn't even post that topic here!
> > > As far as I know both TCP 20 and TCP 21 are required for the FTP
session
> > to
> > > work. But if I tell the filter to enable only these ports I can't
access
> > the
> > > FTP service locally and I cannot connect to remote FTP servers.
> > >
> > > I have another server - HTTP with only TCP 80 open and it works fine!
> > >
> > >
> > >
> > > "Robert L [MS-MVP]" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > 21
> > > >
> > > > --
> > > > For more and other information, go to http://www.ChicagoTech.net
> > > >
> > > > Don't send e-mail or reply to me except you need consulting
services.
> > > > Posting on MS newsgroup will benefit all readers and you may get
more
> > > help.
> > > >
> > > > Robert Lin, MS-MVP, MCSE & CNE
> > > > Networking, Internet, Routing, VPN, Anti-Virus, Tips &
Troubleshooting
> > on
> > > > http://www.ChicagoTech.net
> > > > This posting is provided "AS IS" with no warranties.
> > > >
> > > > "George Valkov" <(E-Mail Removed)> wrote in message
> > > > news:(E-Mail Removed)...
> > > > > What ports and protocols should I enable in TCP/IP filtering for
the
> > FTP
> > > > > service to work?
> > > > > Also the server must be able to make outgoing connections to other
> FTP
> > > > > servers.
> >
> > Open TCP 20 & 21 inbound. As for external connections, your
> router/firewall
> > or the ICF will allow any traffic originating from the machine to go
out,
> > so you need not worry about that.
> >
> >
> > --
> > Todd J Heron, MCSE
> > Windows 2003/2000/NT

As I said, open tcp ports 20 & 21 inbound.

--
Todd J Heron, MCSE
Windows 2003/2000/NT

ftp is not using only port 21. When come to data the port
would be different ie 1400 and above. I'm not sure what
are the port that data ftp using but i'm sure that ftp is
not using only port 21.


>-----Original Message-----
>"Todd J Heron" <(E-Mail Removed)> wrote in
message
>news:(E-Mail Removed)...
>> As I said, open tcp ports 20 & 21 inbound.
>>
>
>I can connect from FTPSERVER1 to another FTP server
running Linux.
>
>I still cannot connect from FTPSERVER1 to FTPSERVER1:
>ftp> debug
>Debugging On .
>ftp> open FTPSERVER1
>Connected to FTPSERVER1
>220-Microsoft FTP Service
> You can now logon as anonymous.
> Use anything You like as a password.
>220 You can send me Your name or e-mail address as
password.
>User (FTPSERVER1none)): anonymous
>---> USER anonymous
>331 Anonymous access allowed, send identity (e-mail name)
as password.
>Password:
>---> PASS
>230-Welcome!
> FTPSERVER1 is on Your services!
>230 Anonymous user logged in.
>ftp> ls
>---> PORT 192,168,1,1,11,224
>200 PORT command successful.
>---> NLST
>150 Opening ASCII mode data connection for file list.
>Aborting any active data connections...
>425 Can't open data connection.
>ftp>
>
>
>
>While waiting for response to the "ls" command:
>#netstat -n
>
>Active Connections
>
> Proto Local Address Foreign Address
State
> TCP 192.168.1.1:21 192.168.1.1:3033
TIME_WAIT
> TCP 192.168.1.1:21 192.168.1.1:3039
ESTABLISHED
> TCP 192.168.1.1:3039 192.168.1.1:21
ESTABLISHED
>
>
>Well? It cannot connect to TCP 20 for the data
connection, even when the
>port is open.
>What else should I do?
>
>
>

Thank You!
Now I have to find either
1. How to force IIS 6.0 to use a fixed port for the FTP data connections
or
2. Find out which ports are used and open them.



<(E-Mail Removed)> wrote in message
news:212a01c4a215$61694b80$(E-Mail Removed)...
> ftp is not using only port 21. When come to data the port
> would be different ie 1400 and above. I'm not sure what
> are the port that data ftp using but i'm sure that ftp is
> not using only port 21.
>
>
> >-----Original Message-----
> >"Todd J Heron" <(E-Mail Removed)> wrote in
> message
> >news:(E-Mail Removed)...
> >> As I said, open tcp ports 20 & 21 inbound.
> >>
> >
> >I can connect from FTPSERVER1 to another FTP server
> running Linux.
> >
> >I still cannot connect from FTPSERVER1 to FTPSERVER1:
> >ftp> debug
> >Debugging On .
> >ftp> open FTPSERVER1
> >Connected to FTPSERVER1
> >220-Microsoft FTP Service
> > You can now logon as anonymous.
> > Use anything You like as a password.
> >220 You can send me Your name or e-mail address as
> password.
> >User (FTPSERVER1none)): anonymous
> >---> USER anonymous
> >331 Anonymous access allowed, send identity (e-mail name)
> as password.
> >Password:
> >---> PASS
> >230-Welcome!
> > FTPSERVER1 is on Your services!
> >230 Anonymous user logged in.
> >ftp> ls
> >---> PORT 192,168,1,1,11,224
> >200 PORT command successful.
> >---> NLST
> >150 Opening ASCII mode data connection for file list.
> >Aborting any active data connections...
> >425 Can't open data connection.
> >ftp>
> >
> >
> >
> >While waiting for response to the "ls" command:
> >#netstat -n
> >
> >Active Connections
> >
> > Proto Local Address Foreign Address
> State
> > TCP 192.168.1.1:21 192.168.1.1:3033
> TIME_WAIT
> > TCP 192.168.1.1:21 192.168.1.1:3039
> ESTABLISHED
> > TCP 192.168.1.1:3039 192.168.1.1:21
> ESTABLISHED
> >
> >
> >Well? It cannot connect to TCP 20 for the data
> connection, even when the
> >port is open.
> >What else should I do?
> >
> >
> >

> Well? It cannot connect to TCP 20 for
> the data connection, even when the port
> is open. What else should I do?

Well ... the problem is that the port filtering only
allows you to specify "local ports", so what you
did is to open ports 20 and 21 (tcp) to traffic.. but
the FTP "handshacking" is a different kind of
beast that is

the client connects to port 21 (the control port)
and starts an FTP session, this won't change
and won't cause problems with your current
filter settings

the client then asks for a directory listing (or
tries to retrieve a file) and now things change
the FTP server receives from the client a
PORT command the port command has the
format PORT xxx,yyy,zzz,kkk,p1,p2 where p1
and p2 indicate a port and "xxx.." contain the
client IP at this point the FTP server initiates
an outbound connection _from_ its port #20
(FTP data) toward the client IP and port
indicated by the port command, once the
connection has been established the data
transfer starts (either dir listing, file transfer..)

As you see the problem is that just opening
up port #20 you're allowing traffic to it but not
toward the "dynamic ports" needed for the
data channel; a possible solution to your issue
may be using IPSec port filtering instead of
the "standard port filtering" you're using, in
this latter case you'll be able to create a rule
like

source IP ftp_server_ip
source port 20
target IP any
target port 1024-5000

for an example of an IPSec portfiltering policy
you may have a look at this site

http://homepages.wmich.edu/~mchugha/w2kfirewall.htm

although the above example is for a "client"
machine I think you'll be able to adapt the
filtering to your needs

Regards


--

* ObiWan

Microsoft MVP: Windows Server - Networking
http://mvp.support.microsoft.com
http://italy.mvps.org