windows firewall blocks outgoing ftp connection

Hello,

I have a small problem on some of my servers: Win2003 Server SP1 all the
patches installed. Windows firewall is enabled, ftp.exe is allowed to
connect, port tcp:21 is opened from outside but I cannot create *outgoing*
ftp connection neither in active nor in passive mode:

~~~
D:\>ftp ftp.cdrom.com
Connected to cdrom.wip.digitalriver.com.
Connection closed by remote host.
~~~

Sure, switching off firewall solves the problem.

Anyone, any clues ?

-Andrey

"Andrey P." <(E-Mail Removed)> wrote in messagel...
>Hello,
>
>I have a small problem on some of my servers: Win2003 Server SP1 all the
>patches installed. Windows firewall is enabled, ftp.exe is >allowed to
>connect, port tcp:21 is opened from outside but I cannot create *outgoing*
>ftp connection neither in active nor in passive mode:
>
>~~~
>D:\>ftp ftp.cdrom.com
>Connected to cdrom.wip.digitalriver.com.
>Connection closed by remote host.
>~~~
>
>Sure, switching off firewall solves the problem.

Remote FTP server tries to make a connection back to you (after you make an
initial connection to it over tcp 21) on a high port > 1023 which windows
firewall is blocking. I don't think you want to open all those ports. If
you upgrade to RRAS, the NAT in RRAS (Windows 2003) has active FTP
translation support, but you have to enable it with:

netsh routing ip nat add ftp

This is documented here (watch out for long URL wrap):

http://www.microsoft.com/technet/pro...f4e9f04df.mspx

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

Hello Todd,

Thanks for the advice! But it seems to me that the reason not in the
firewall itself, but in the application layer gateway. Moreover, the problem
started just recently, possibly after the last windows update (when I turn
logging on Windows firewall, there's no dropped packets logged). Secondly,
RRAS solution doesn't work for me since it cannot be run at the same time
with widows firewall service.

-Andrey.


"Todd J Heron" <todd_heron(delete)@hotmail.com> wrote in message
news:%(E-Mail Removed)...
> "Andrey P." <(E-Mail Removed)> wrote in messagel...
> >Hello,
> >
> >I have a small problem on some of my servers: Win2003 Server SP1 all the
> >patches installed. Windows firewall is enabled, ftp.exe is >allowed to
> >connect, port tcp:21 is opened from outside but I cannot create
*outgoing*
> >ftp connection neither in active nor in passive mode:
> >
> >~~~
> >D:\>ftp ftp.cdrom.com
> >Connected to cdrom.wip.digitalriver.com.
> >Connection closed by remote host.
> >~~~
> >
> >Sure, switching off firewall solves the problem.
>
> Remote FTP server tries to make a connection back to you (after you make
an
> initial connection to it over tcp 21) on a high port > 1023 which windows
> firewall is blocking. I don't think you want to open all those ports. If
> you upgrade to RRAS, the NAT in RRAS (Windows 2003) has active FTP
> translation support, but you have to enable it with:
>
> netsh routing ip nat add ftp
>
> This is documented here (watch out for long URL wrap):
>
>
http://www.microsoft.com/technet/pro...f4e9f04df.mspx
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> --------------------------------------------------------------------------
--
> This posting is provided "as is" with no warranties and confers no rights
>
>

On Tue, 22 Nov 2005 18:50:04 -0800, "Andrey P." <(E-Mail Removed)>
wrote:

>Hello,
>
>I have a small problem on some of my servers: Win2003 Server SP1 all the
>patches installed. Windows firewall is enabled, ftp.exe is allowed to
>connect, port tcp:21 is opened from outside but I cannot create *outgoing*
>ftp connection neither in active nor in passive mode:
>
>~~~
>D:\>ftp ftp.cdrom.com
>Connected to cdrom.wip.digitalriver.com.
>Connection closed by remote host.
>~~~
>
>Sure, switching off firewall solves the problem.
>
>Anyone, any clues ?
>
>-Andrey

I am running the same setup and have no problems:

C:\>ftp ftp.cdrom.com
Connected to cdrom.wip.digitalriver.com.
220 drftp.digitalriver.com NcFTPd Server (licensed copy) ready.
User (cdrom.wip.digitalriver.comnone)): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-You are user #16 of 500 simultaneous users allowed.
230-
230 Logged in anonymously.
ftp> quit
221 Goodbye.

Not sure what to check to see why I can and you cannot.

Hello Andrey.
If shutting the firewall solves the problem, maybe there is something to
check on the rules.
If the server you're connecting to uses active FTP, you need to let the port
21 AND 20 from the server to any port over 1024.
Have you trid to allow port 20 ?

--
Fabrizio Volpe
MCSE 2003/2000/NT
MCT