firewall problem with ftp

Now that I am on a DSL I take firewall based security more seriously.
However, my ftp programs are giving me fits. Neither cuteFTP nor
FileZilla will work properly - I get a failure to logon msg back from my
ftp server. This is clearly a firewall (Win XP) issue because this
problem goes away and I can login fine when I simply disable the
filewall (via Wscui.cpl). I have a suspicion that some handshake
verification or authorization transfer back from the ftp site is being
blocked.

Never had this problem with my dialup.

I have used netstat and taskslist to determine the ports being used
by cuteFTP and have tried making its primary port an exception on the
firewall list. I have also tried putting the ftp program itself on the
firewall exception list. Neither helped. Yes, the ftp program does use
some other ports above 1024, but since these are variable, trying to add
them to a port exception(s) list is not going to work.

Anyone out there perhaps have a suggestion for getting deeper into this
issue and zeroing in on the problem? Are there, for example, some
secondary Windows programs required for ftp that I need to put on an
exception list?

Machine - AMD athlon dual; Windows XP-SP2, FIREFOX and/or Netscape
browser, ATT DSL; ftp apps tried are: cuteFTP, FileZilla, ATT ftp.

Thanks!! Dr. Bob

Re: firewall problem with ftp

Post removed (X-No-Archive: yes)

Re: firewall problem with ftp

Thank you, John -

Yes, that is my current setting on FIleZilla. Tried variations on that
but does not seem to help.

John Gray wrote:

>>
>
> Most FTP clients have a setting to enable passive mode. This may work for
> you.
>

Re: firewall problem with ftp

Dr. Bob wrote:
> John Gray wrote:
>> Most FTP clients have a setting to enable passive mode. This may
>> work for you.
>
> Yes, that is my current setting on FIleZilla. Tried variations on that
> but does not seem to help.

Did you check whether the server you're connecting to does support
passive mode?

Try running a sniffer to see what data is actually transmitted.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: firewall problem with ftp

Post removed (X-No-Archive: yes)

Re: firewall problem with ftp

On Sun, 26 Nov 2006 22:04:03 +0000, Ansgar -59cobalt- Wiechers wrote:

> Dr. Bob wrote:
>> John Gray wrote:
>>> Most FTP clients have a setting to enable passive mode. This may
>>> work for you.
>>
>> Yes, that is my current setting on FIleZilla. Tried variations on that
>> but does not seem to help.
>
> Did you check whether the server you're connecting to does support
> passive mode?
>
> Try running a sniffer to see what data is actually transmitted.
>
> cu
> 59cobalt
for a good sniffer try ethereal (www.ethereal.com) - be sure to install
winpcap

Re: firewall problem with ftp

Post removed (X-No-Archive: yes)

Re: firewall problem with ftp

Dr. Bob wrote:
> Now that I am on a DSL I take firewall based security more seriously.
> However, my ftp programs are giving me fits. Neither cuteFTP nor
> FileZilla will work properly - I get a failure to logon msg back from my
> ftp server. This is clearly a firewall (Win XP) issue because this
> problem goes away and I can login fine when I simply disable the
> filewall (via Wscui.cpl). I have a suspicion that some handshake
> verification or authorization transfer back from the ftp site is being
> blocked.
>
> Never had this problem with my dialup.

You sure the ISP is going to allow FTP on its network.

Duane :)

Re: firewall problem with ftp

Dr. Bob wrote:
> Now that I am on a DSL I take firewall based security more seriously.
> However, my ftp programs are giving me fits. Neither cuteFTP nor
> FileZilla will work properly - I get a failure to logon msg back from my
> ftp server. This is clearly a firewall (Win XP) issue because this
> problem goes away and I can login fine when I simply disable the
> filewall (via Wscui.cpl). I have a suspicion that some handshake
> verification or authorization transfer back from the ftp site is being
> blocked.
>
> Never had this problem with my dialup.

I didn't read that part well up above. The XP FW doesn't block outbound
only inbound. So, that does seem like the culprit.

>
> I have used netstat and taskslist to determine the ports being used
> by cuteFTP and have tried making its primary port an exception on the
> firewall list. I have also tried putting the ftp program itself on the
> firewall exception list. Neither helped. Yes, the ftp program does use
> some other ports above 1024, but since these are variable, trying to add
> them to a port exception(s) list is not going to work.

If you were on dial-up, were you using the XP FW then?
>
> Anyone out there perhaps have a suggestion for getting deeper into this
> issue and zeroing in on the problem? Are there, for example, some
> secondary Windows programs required for ftp that I need to put on an
> exception list?

I doubt it. What ports are these FTP programs using.

Duane :)

Re: firewall problem with ftp

Post removed (X-No-Archive: yes)

Re: firewall problem with ftp

john smith wrote:
> On Sun, 26 Nov 2006 22:04:03 +0000, Ansgar -59cobalt- Wiechers wrote:
>> Dr. Bob wrote:
>>> John Gray wrote:
>>>> Most FTP clients have a setting to enable passive mode. This may
>>>> work for you.
>>>
>>> Yes, that is my current setting on FIleZilla. Tried variations on
>>> that but does not seem to help.
>>
>> Did you check whether the server you're connecting to does support
>> passive mode?
>>
>> Try running a sniffer to see what data is actually transmitted.
>
> for a good sniffer try ethereal (www.ethereal.com) - be sure to
> install winpcap

Ethereal was renamed to Wireshark [1] almost half a year ago. WinPcap is
included with the Windows installer.

[1] http://www.wireshark.org/

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: firewall problem with ftp

John Gray wrote:
> I currently using the latest GetRight on WinXp Pro SP2 with Sygate
> Personal as the software firewall. I'm also behind a NAT router and
> have no problems at all. I don't like Windows Firewall at all.

There are far more reasons to dislike Sygate than there are to dislike
the Windows-Firewall. Sygate opens ports (probably for IPC) on all
interfaces, and also runs an interactive service with SYSTEM privileges,
which probably makes it vulnerable to Shatter Attacks.

And just because Leythos will surely come up with this really stupid
"argument" again: yes, the Windows-Firewall allows a user to place
exceptions in it, provided the user has ADMINISTRATOR privileges. In
which case every other personal firewall will fail as well at preventing
a malicious user (or malware) from poking holes in it.

A system cannot be protected from its administrator. Any attempt at that
will either fail or result in the administrator no longer being the
administrator.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: firewall problem with ftp

Post removed (X-No-Archive: yes)

Re: firewall problem with ftp

First of all - thanks to all of the above for the helpful suggestions.
Yes, it is an inbound verification block in all likelihood. I have a
work-around for the moment. I will be happy to have additional comments
and suggestions if anyone has dealt with similar issues of their own.

The excellent ftp overview by Mike Gleason
(http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html ) is a
valuable resource and as soon as I fully understand it I think the
solution will be apparent. Unfortunately, I (and many others evidently)
think it is a Windows XP firewall implementation issue that may relate
in part to how specific ftp sites deal with ephemeral port assignments
and may thus go deeper than settings adjustements at my end.

Keep on.......


Sebastian Gottschalk wrote:
> Mr. Arnold4 wrote:
>
>> I didn't read that part well up above. The XP FW doesn't block outbound
>> only inbound. So, that does seem like the culprit.
>
> Blocking inbound traffic in conjunction with stupid protocols like FTP,
> well that's pretty likely the problem.