Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[gunrunnerjohn]

I only port forward port 21 to run the FTP server on my DNS-323 externally, so I have no idea what you guys are doing to break it.

[OlegMZ]

I only port forward port 21 to run the FTP server on my DNS-323 externally, so I have no idea what you guys are doing to break it.

There seems to be a lot of misunderstanding here and where and blind attempts to make things work :-).

First of all, as it has already been said there should be clear understanding how ftp works, what is active and passive mode and which ports are used.

1. FTP uses 2 channels at the same time for its work and needs 2 independent connections - command-and-control and data-transfer. Using c&c connection ftp client gives instructions to server and listens to replies, while using data connection server sends (or receives) actual data. TCP port 21 is a standard (well known) port used for command-control. If this is the only port opened both directions on firewall then to actual data transfer can take place.

2. Term active or passive FTP determines FTP SERVER behavior - who initiates data-transfer channel. If it is client, then this is passive mode, if this is server - active one.
In active mode client connects to the server on port TCP/21 using some random source TCP port above well-known range (1024 and up). For example TCP/2000. This is how it establishes c&c connection.
Then the client sends to the server its data port which is =current_port+1. In our case TCP/2000+1=TCP/2001.
After that FTP server initiates the data connection to the client using TCP/20 as source port and TCP/2001 (in our case) as a destination port and transfers the data.

In passive mode both connections are initiated by the client. Instead of sending port number to the server the client sends PASV command. In response the FTP server itself opens random TCP port (say TCP/3000) and sends it back to the client. After that the client connects to this port using again c&c port + 1 (TCP/2001 in our case) to received server port  (TCP/3000) in our case and the server uses this established connection to send data to the client (or receive from it).

Now what happens if we put one way firewall between client and server which allows all the traffic in one direction and only returning traffic from the opposite side?

1. FTP server is outside and the client is inside.
In case of passive FTP we are fine and no ports are needed to be opened, as all outgoing (and returning) traffic is permitted. FTP clients first establishes c&c connection from inside to outside (client:2000 -> server:21), receives port number from the server and establishes data connection (client:2001 -> server:3000).
In case of active FTP we are in big trouble, because we need to allow data connection initiated from server using port 20 AS A SOURCE PORT to the client using random port + 1 (TCP/2001 in our case, i.e. server:20 -> client:2001). Unless we have some sophisticated firewall which can preform deep inspection of packets, detect FTP connection, derive dynamic port from it and dynamically open it, we have to wide open traffic from any source using port 20 to the client on port range 1024 - 65535, which is a big security hole.
That is why passive mode is mostly used to access FTP servers on the internet from behind firewalls.

Now if we put the FTP server behind firewall and FTP client on the outside network, we get completely different picture.
First we need to open (forward) port TCP/21 to the FTP server. Otherwise there will be no ftp connection established.
Now if the ftp client uses ACTIVE mode to connect to FTP server, we are fine:
1) The client connects to the FTP server and tells it which port to use for data (TCP/2001 in our example). This c&c connection works, if port forwarding was configured properly.
2)  The server initiates data connection from inside firewall (all traffic is allowed!) using obtained port number as a destination and TCP/20 as a source - server:20 -> client:2001 (in our case)

But if the FTP client tries to use Active mode it will fail (if our firewall is not capable for deep packet inspection) because the client will try to establish connection from outside to inside using dynamic destination port supplied by the FTP server - client:2001 -> server:3000. 

To make the long story short - in case of "simple" one way firewall passive ftp mode should be used to connect to FTP servers on the internet and active mode should be used to connect from the internet to the servers behind such firewalls with only port 21 permitted in inbound direction.

Do you see a bit of a problem here? If we have a client behind such a firewall trying to connect to the FTP server behind such a firewall IT WILL NEVER WORK as they need different FTP modes to operate!

At least one of firewalls should be smart enough to support both FTP modes, or there should be one-to-one NAT translation to the FTP server with all ports allowed (which is not good, as all ports on the server are exposed to the internet). Check your router documetation regarding FTP processing capabilities.

One more hint how to check if port forwarding is actually working. Forget about any FTP clients. Just go to command prompt and use 'telnet x.x.x.x 21' where x.x.x.x is IP of your FTP server.
If FTP server works and port forwarding is configured properly you should see FTP server response on your screen like: 220 blah blah blah FTP server is ready.
If you see 'connection failed' it means something is wrong.

[HSishi]

Mh, didn't know the telnet tool can be used for such a test too. So again I played around with my router.

First, I have a software firewall on my PC to avoid outgoing connections initiated from malware's.
Second, I have an AVM 7390 VDSL router with firewall for incoming connections.
So I have the setup "FTP Client and server are behind separate firewalls".

In my router I can configure forwarding rules for common applications: "FTP-Server", "HTTP-Server", "eMule UDP" & "TCP", "Remote Desktop" and "Exposed host" (aka "DMZ"). And I have an option "Anything else".
I can configure non-standard ports with the "anything else" option only, all other options use predefined standard ports.
For standard ports, the router seems to be able to inspect the packages and handles the traffic in the correct way(s).
And here's the catch: If an application needs more than one non-standard port for the connection, you have to define more than one port in the forwarding rule, or, if the ports are spread into different ranges, even more than one forwarding rule.
Instead of multiple small forwarding rules you can define one very large range but you shouldn't because of security risks; you might include ports which you do NOT want to make accessible.

I have a FTP server on my NAS which should be accessible from web, using the default port(s). So the forwarding rule simply is: "Make the FTP-Server on the NAS accessible". With this, my router handles all incoming and outgoing FTP traffic to and from the NAS.

I modified the forwarding rule to "Make port 21 on the NAS accessible". See the difference? The router didn't know it's an FTP server anymore, it just translated the ports and didn't bother with inspecting the data packages.
Result: I got timeouts because the router discarded the replies of my server.
Another modification to "Make ports 21+22 on the NAS accessible" made the FTP connection working again.

Now we have a non-standard setup: jorbit1 wants to make an FTP server accessible but not with the standard setup (port 21+), he/she (?) wants to use port 1025. So the router doesn't know it's an FTP server connection the router can manage, it's "anything else" and, as we now know, just translating 1025 <-> 21 isn't enough, you need the additional translation 1026 <-> 22.

So the forwarding rule for this non-standard setup is "Make the ports 21+22 on the NAS accessible as ports 1025+1026."

@ Jorbit1: I checked the MI424-WR manual. Unfortunately the PDF manual I found just shows "empty" configuration forms, no further examples. Anyway, you should be able to define this two-ports forwarding rule. If you cannot define more than one port in the same rule, use a second rule for the second port.

Hope this helps.

//HSishi

[fordem]

Mh, didn't know the telnet tool can be used for such a test too. So again I played around with my router.

First, I have a software firewall on my PC to avoid outgoing connections initiated from malware's.
Second, I have an AVM 7390 VDSL router with firewall for incoming connections.
So I have the setup "FTP Client and server are behind separate firewalls".

In my router I can configure forwarding rules for common applications: "FTP-Server", "HTTP-Server", "eMule UDP" & "TCP", "Remote Desktop" and "Exposed host" (aka "DMZ"). And I have an option "Anything else".
I can configure non-standard ports with the "anything else" option only, all other options use predefined standard ports.
For standard ports, the router seems to be able to inspect the packages and handles the traffic in the correct way(s).
And here's the catch: If an application needs more than one non-standard port for the connection, you have to define more than one port in the forwarding rule, or, if the ports are spread into different ranges, even more than one forwarding rule.
Instead of multiple small forwarding rules you can define one very large range but you shouldn't because of security risks; you might include ports which you do NOT want to make accessible.

I have a FTP server on my NAS which should be accessible from web, using the default port(s). So the forwarding rule simply is: "Make the FTP-Server on the NAS accessible". With this, my router handles all incoming and outgoing FTP traffic to and from the NAS.

I modified the forwarding rule to "Make port 21 on the NAS accessible". See the difference? The router didn't know it's an FTP server anymore, it just translated the ports and didn't bother with inspecting the data packages.
Result: I got timeouts because the router discarded the replies of my server.
Another modification to "Make ports 21+22 on the NAS accessible" made the FTP connection working again.

Now we have a non-standard setup: jorbit1 wants to make an FTP server accessible but not with the standard setup (port 21+), he/she (?) wants to use port 1025. So the router doesn't know it's an FTP server connection the router can manage, it's "anything else" and, as we now know, just translating 1025 <-> 21 isn't enough, you need the additional translation 1026 <-> 22.

So the forwarding rule for this non-standard setup is "Make the ports 21+22 on the NAS accessible as ports 1025+1026."

@ Jorbit1: I checked the MI424-WR manual. Unfortunately the PDF manual I found just shows "empty" configuration forms, no further examples. Anyway, you should be able to define this two-ports forwarding rule. If you cannot define more than one port in the same rule, use a second rule for the second port.

Hope this helps.

//HSishi

You've missed the point made by two different people - the direction of the connection - incoming or outgoing - is critical, incoming connections need to have the port fowarded, outgoing connections, do not.  Passive ftp has both connections made from the client to the server, port forwarding for both is required at the server side.  Active ftp has one connection made from each end, port forwarding is required for one at the server side.

Additionally - even though port forwarding of both connections IS required when passive mode is used - the current_port + 1 rule no longer applies.

[jorbit1]

Hi All,

I'd like to thank everyone for there input on this issue. I've had some time to investigate all your suggestions and through that discovered that the router was faulty. I opened up every port I could find on the router and then put my nas in the DMZ (which from what I understand is completely exposed to outside networks). I then visited canyouseeme.org to verify and none of the ports I forwarded we're open. Since this was the first time I've ever used any type of port scanning tool I wasn't sure that my results were valid (I thought maybe I goofed something). I then download nmap which is a more complex network exploration tool but after a while I was able to figure that my ports were in deed closed. I then visited the manufactures website for the router and downloaded the latest firmware and reset the router to factory default. I then ran nmap again after forwarding port (21) on the router, Low and behold after all that I was able to connect to my nas via dlink dns entry (wan). 

I'm very grateful for everyone's insight, I know this would've taken me a very long time to figure out on my own, now I can go and enjoy the rest of holiday weekend.

Happy 4th of July !!!

Jimmy

Final Setup
FTP server
-Status    Started
-Port    21
-Max. User    1
-Flow Control    Unlimited
-Idle Time    2
-Client Language    Western European
-SSL/TLS connection    Yes
-Passive Mode    55536~55663
Router
-Port 21 Forwarded for NAS IP
FTP Client (Filezilla)
-Active Mode
-- Send FTP keep alive command (not sure if makes a difference but its checked)
-- Limit ports used by Filezilla (55536-55663)
-- active IP mode - ask your operating system for external ip
 
PS I haven't had a chance to test passive mode nor any other ports (ex.1025), I'll continue to work on it and post my results at a later time.

[liammaps2010]

Hi All,

I've been trying to work through some ftp problems I've been having with my nas (dlink 323). I'm able to use filezilla or any ftp program to connect to my nas via IP (local 192.168.x.x) from within my LAN no problem. I registered a domain entry with dlink dynamic dns and have it pointing at my wan ip (IP address giving to me by ISP 96.250.xxx.xxx). I then entered my ddns setting for the nas (tools-->ddns). On my router I've added a port forwarding rule which sends all requests on port 21 to my nas. Now from within my LAN I am unable to connect to my nas via any ftp program through the dlink dynamic dns entry (xxx.dlinkddns.com). Which I've read through the forums and they've mentioned some routers are not able to loopback, which is perfectly fine I really don't want ftp access from within my LAN via ddns entry, IP works great. Now I would like access from outside my network via ddns entry. Everytime I try to connect I get the following error message
 

I've read through many threads trying to figure this one out and I'm completely stumped, any would be appreciated.

Thanks,
Jimmy

It took me a while to get mine working. I could access my FTP from within my network using TLS encryption or SSL.

The only way I am able to access my FTP externally is without using any encryption and in passive mode.

You need to set up your DNS-323 on a static IP so that your router can hand off the FTP requests to it on port 21. Make sure you have the latest firmware.

I can't get WinSCP to work externally, but FireFTP works internally and externally.

[gunrunnerjohn]

I could never get encryption working externally either, don't know what the hangup was.  Works fine locally on the LAN.