05/13/03 Ftp With Firewall in Place

Alireza,
I have replied to your trouble ticket requesting more information. Please provide it, and we will work on finding a solution to your problem.

I set up a new filter late last night to see if passive ftp could be allowed and I was able to do it through ws_ftp as well as it seems at least 403 others have got it to work also. And YES, I have a hardware firewall setup @ home as well. Was able to successfully use ws_ftp and cute ftp both when i tested.

permit tcp any eq ftp-data any gt 1024 (404 matches)

Granted It won't "load" or list files as fast as port specific but it will now work.




Q. How does CBAC interact with Passive FTP?
A. The following process describes the FTP client inside to the FTP server outside CBAC interaction:

The FTP client sends out the synchronize/start (SYN) packet on the control channel:

SYN
client ---------FW---------> server

The Cisco IOS firewall creates a session for this new connection and holes in ACLs:

hole
client <--------FW--------- server
hole
client <--------FW--------- server

The TCP handshake is completed:

SYN ACK
client <--------FW--------- server
ACK
client ---------FW---------> server

When the ls command is entered, the FTP client sends PASV and LIST commands to the server one after the other:

PASV
client ---------FW---------> server
address/port info
client <--------FW--------- server

On seeing the address/port in the reply to the PASV command, the Cisco IOS firewall creates a pre-gen session and ACL holes:

hole
client ---------FW---------> server
hole
client ---------FW---------> server

The holes point from the client to the server because the Cisco IOS firewall knows that the client will try to connect to the server at XXXX,y,y to create the data channel as per Passive FTP specifications.

The FTP client sends the SYN for this data connection:

SYN DATA
client ---------FW---------> server

On seeing the SYN packet, the Cisco IOS firewall creates holes which will allow synchronize acknowledge (SYN ACK) reply from the server:

hole
client <--------FW--------- server
hole
client <--------FW--------- server


These holes can take 5-10 seconds to create. From the time the user sends the ls command to the time these holes are created, there are at least three packets exchanged between the client and the server:

PASV
Reply to PASV with address/port information
SYN to this new address/port

These three packet exchanges might be slow if the FTP server or client is loaded and can easily take up to 5-10 seconds.

[admin]

I started to work for me but then got an error..

*** CuteFTP Pro 2.0 - build Dec 4 2001 ***

STATUS:> Getting listing ""...
STATUS:> Connecting to ftp server 65.57.230.XXX:21 (ip = 65.57.230.XXX)...
STATUS:> Socket connected. Waiting for welcome message...
220 ProFTPD 1.2.6 Server (Backup) [backup.vortechhosting.com]
STATUS:> Connected. Authenticating...
COMMAND:> USER brad
331 Password required for brad.
COMMAND:> PASS *****
230 User brad logged in.
STATUS:> Login successful.
COMMAND:> PWD
257 "/" is current directory.
STATUS:> Home directory: /
COMMAND:> FEAT
500 FEAT not understood.
STATUS:> This site doesn't support the 'features' command.
COMMAND:> REST 100
350 Restarting at 100. Send STORE or RETRIEVE to initiate transfer.
STATUS:> This site can resume broken downloads.
COMMAND:> TYPE A
200 Type set to A.
COMMAND:> REST 0
350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer.
COMMAND:> PASV
227 Entering Passive Mode (65,57,230,251,149,72).
COMMAND:> LIST
STATUS:> Connecting ftp data socket 65.57.230.XXX:38216...
ERROR:> Can't connect to remote server. Socket error = #10060.
ERROR:> Failed to establish data socket.

I got pretty much the same thing. It didn't work,

[Brangwyn]

No go here for me either I'm afraid.

227 Entering Passive Mode (65,57,231,30,9,5).
Opening data connection IP: 65.57.231.30 PORT: 2309.

Then timeout.

HUH ???



Connecting to 216.157.129.231:21Connected to 216.157.129.231:21 in

0.078, Waiting for Server Response220 ProFTPD 1.2.6 Server (ProFTPD

Default Installation) [cpanel.nocspeed.com]Host type (1): Automatic

detectUSER alan331 Password required for alan.PASS (hidden)230 User

alan logged in.SYST215 UNIX Type: L8Host type (2): UNIX

(standard)PWD257 "/" is current directory.TYPE A200 Type set to

A.PASV227 Entering Passive Mode (216,157,129,231,7,94).connecting data

channel to 216.157.129.231:1886PORT 192,168,1,200,5,48200 PORT command

successfulLIST150 Opening ASCII mode data connection for file

listSuccesstransferred 460 bytes in 0.109 seconds, 32.857 Kbps ( 4.107

KBps).226 Transfer complete.CWD /www250 CWD command successful.PWD257

"/public_html" is current directory.PASV227 Entering Passive Mode

(216,157,129,231,7,98).connecting data channel to

216.157.129.231:1890PORT 192,168,1,200,5,56200 PORT command

successfulLIST150 Opening ASCII mode data connection for file

listSuccesstransferred 15461 bytes in 0.203 seconds, 594.654 Kbps (

74.332 KBps).226 Transfer complete.TYPE I200 Type set to I.PASV227

Entering Passive Mode (216,157,129,231,7,100).connecting data channel


PORT command successfulRETR 2000studyguide_1.html150 Opening BINARY

mode data connection for 2000studyguide_1.html (140390

bytes)transferred 140390 bytes in 0.656 seconds, 1671.310 Kbps (

208.914 KBps).226 Transfer complete.

220 nt11 Microsoft FTP Service (Version 5.0).
USER sweetdin
331 Password required for XXXXXX.
PASS (hidden)
230 User XXXXXXX logged in.
SYST
215 Windows_NT version 5.0
REST 100
350 Restarting at 100.
REST 0
350 Restarting at 0.
PWD
257 "/XXXXXXX" is current directory.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (65,57,231,48,14,8).
Opening data connection IP: 65.57.231.48 PORT: 3592.
LIST -aL
125 Data connection already open; Transfer starting.
951 bytes received successfully. (951 B/s) (00:00:01).
226 Transfer complete.
CWD /XXXXXXX/XXXXXXXXX
250 CWD command successful.
PWD
257 "/XXXXXXX/XXXXX" is current directory.
PASV
227 Entering Passive Mode (65,57,231,48,14,12).
Opening data connection IP: 65.57.231.48 PORT: 3596.
LIST -aL
125 Data connection already open; Transfer starting.
73 bytes received successfully. (73 B/s) (00:00:01).
226 Transfer complete.
TYPE I
200 Type set to I.
PASV
227 Entering Passive Mode (65,57,231,48,14,29).
Opening data connection IP: 65.57.231.48 PORT: 3613.
RETR XXXXXXXXX.mdb
125 Data connection already open; Transfer starting.
139264 bytes received successfully. (45.33 KB/s) (00:00:03).
226 Transfer complete.


(Sorry I X'ed out usernames and such, but this is to a windows server, works to unix also.)

[Brangwyn]

Odd

Brangwyn, refresh your page, it was not working for me yesterday, is today.

[Brangwyn]

Tried 7 servers (all windows) no go. Just tried a Unix and got in first time, went back and tried another windows box and it worked. Very odd.

[Brangwyn]

Seems to be working now Alan .. that last little "tweak" must have fixed it !!

Thank you very much guys !

No problem, Like ya said, just a little tweak. We are logging it all so at least well know if someone tries something "fishy" and then I'll just block there ip range.

[prime]

You guys fixed something else as well. Previously I was having problems with my FTP client being denied a connection when in middle of transferring a directory of small files. I was working with the manufacturer of the FTP client to try to figure out what was going on. Ever since things got reconfigured (and passive opened up) I've not had the problem. The last guess was that it was something with your firewall or FTP server (but only with the windows boxes). Does anyone have any idea what the problem may have been (just so I can report to the software guy for future reference) ?

Thanks