05/13/03 Ftp With Firewall in Place

[Brangwyn]

I haven't got dreamweaver installed at the moment to verify, but I seem to recall it had a hard time working in anything other than PASV mode actually.

Those of you having problems, are you behing a firewall, NAT or other type of internet connection "protection" system such as Zone Alarm or Nortons Internet Protection ?

If things aren't going to be changed then we might have to collectively work together on a FAQ detailing how to open these products up to allow ACTIVE ftp me thinks.

[dwhite]

The following chart should help admins remember how each FTP mode works:

Active FTP :
command : client >1024 -> server 21
data : client >1024 <- server 20

Passive FTP :
command : client >1024 -> server 21
data : client >1024 -> server >1024

A quick summary of the pros and cons of active vs. passive FTP is also in order:

Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.

Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously.

[Vixen]

Quote:

Originally posted by dwhite
Well Brad, I just tested my FTP connection through Dreamweaver and WS_FTP Pro, and I CANNOT get through. I have work to do and a deadline of today to do it in, so would very much appreciate an answer and resolution to this problem that your company has created. Please pay attention to what Branwyn and the rest of us are telling you and don't just tell us everything is OK because YOU can get through.

Try unchecking PASSIVE on Dreamweaver. I uploaded tons of new material to my site last night via Dreamweaver so I can tell you that it DOES work.

BTW, less of a tone would be appreciated.

[dwhite]

Quote:

Originally posted by Brangwyn
I haven't got dreamweaver installed at the moment to verify, but I seem to recall it had a hard time working in anything other than PASV mode actually.

Those of you having problems, are you behing a firewall, NAT or other type of internet connection "protection" system such as Zone Alarm or Nortons Internet Protection ?

If things aren't going to be changed then we might have to collectively work together on a FAQ detailing how to open these products up to allow ACTIVE ftp me thinks.

Two sequential NAT, one hardware firewall/router and software firewalls on each desktop.

[admin]

Quote:

Originally posted by dwhite
Well Brad, I just tested my FTP connection through Dreamweaver and WS_FTP Pro, and I CANNOT get through. I have work to do and a deadline of today to do it in, so would very much appreciate an answer and resolution to this problem that your company has created. Please pay attention to what Branwyn and the rest of us are telling you and don't just tell us everything is OK because YOU can get through.

If you take the time to read you will see you must have passive FTP set to "OFF". Only PORT FTP will work at this time. I believe you may have passive on by mistake.

[dwhite]

Vixen, I asked, and did not shout or cuss, merely stated a fact that just because one particular connection works, does not mean it will work for everyone else. I have unchecked PASV on Dreamweaver, WS_FTP, SmartFTP and Bulletproof. Nothing gets through.

[dwhite]

Brad, can you explain this a bit further please? As you can see from the comments, there is some confusion, as others are telling us that we need to uncheck PASV. Thanks, I appreciate your feedback.

[admin]

We opened port 1024 but from what I know passive FTP uses any thing from 1024 UP if we open that up then we might as well have no firewall..

There are advantages and disadvantages to every thing.
advantages: Our servers will be much safer.
advantages: Less out said traffic coming in to the network that is not needed.
advantages: Faster speeds.

disadvantages: Passive FTP will not work.


When I look at the disadvantages and the advantages I think every one here should or would want there systems to be safer. I understand the passive FTP thing is kind of a pain, but just about EVERY ftp client out there supports both. Here is a list of the ones I know.

Dreamweaver 3
Dreamweaver 4
Dreamweaver MX
CuteFTP Any version
ws_ftp LE
ws_ftp Pro
IE 5.x and 6.x even works to ftp in to our network.

I have not seen any FTP client not work yet. All of the above have been tested from outside of our network and work 100%.

[admin]

Right i was saying you must still have passive FTP on if its not working. Make sure its UNCHECKED and it should default to port mode and work with no issues.

[Vixen]

Quote:

Originally posted by dwhite
Vixen, I asked, and did not shout or cuss, merely stated a fact that just because one particular connection works, does not mean it will work for everyone else. I have unchecked PASV on Dreamweaver, WS_FTP, SmartFTP and Bulletproof. Nothing gets through.

To be honest, it sounded to me as if you were accusing someone of lying to you because they could get through and you could not.

As for the Dreamweaver issue it DOES work if you UNCHECK passive. I worked on my site for 3+ hours last night and Dreamweaver is the ONLY thing I use to upload.

[dwhite]

Brad, I've tried both with no luck at all. I also asked another developer on a completely different network to try with the same result. The error we get is "Unable to build a data connection": Operation timed out" The timeout is set to the max - 120 seconds. This has been happening since early yesterday afternoon.

P.S. Brad, it is defaulting to port mode in PASV as you stated, but we are getting the same result.

[dwhite]

Glad to hear that you can connect Vixen. I and several others have not since yesterday afternoon. The connection attempt simply times out.

[dwhite]

Just tried ftp from IE6 as well, as you had stated that it worked. It also timed out.

[zye]

it just worked ( 3mins ago ) with passive ftp - now its not working

if possible i send mail to support@vortechhosting.com - open ALL PORTS on my IP range cause i give a damn at your firewall

and also my server is still offline ( 65.57.228.XXX ) ip range

when do you think my server is online 100% AGAIN ?
its down since 2 HOURS +

i need info what and when things are going to work normal again

zye

[dwhite]

OK, I've managed to get in front of our hardware router/firewall and try it with PASV turned off. This works, so am assuming that the issue is that its not getting past it, even though its not showing up in the logs for some odd reason. We will work on it from our end as well. Thanks for your help.