This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems setting up Passive FTP...

Raiden is running on a win2k box with IIS.  I can't seem to get pasv to work.  When my client logins it says entering Passv and then hangs.  You can't do a directory listing or send file.

thanks for your help!

Firewall: ASL 4.0.07
FTP Software: RaidenFTP

RaidenFTP Info
Source Port: 7200
Use data port range: 1501-1600

ASL Info
networks Defined:
Private Web Server: 192.168.10.3
WAN_Interface__:  IP From Cable Modem

Services Defined:
FTP-Control     tcp       sport: 1024:65535       dport: 7200
FTP-Data     tcp       sport: 1024:65535       dport: 1501:1600

DNAT Rules:
Private Web Server FTP-Control   Any -> WAN_Interface__ / FTP-Control   None   Private_Web_Server
Private Web Server FTP-Data   Any -> Private_Web_Server / FTP-Data   None   Private_Web_Server

Packet Filter Rules:
From: Any        Service: FTP-Control          To: Private_Web_Server         Action: Allow
From: Any        Service: FTP-Data          To: Private_Web_Server         Action: Allow

Raiden Log file:
66.192.x.x ftpusername default 2003/11/21:11:30:07 l "succeeded"
66.192.x.x ftpusername default 2003/11/21:11:30:23 e "PASV accept failed (15 seconds timeout), no one connects to me at ip:66,57,18,222 port:1502"
66.192.x.x ftpusername default 2003/11/21:11:31:42 l "succeeded"
66.192.x.x ftpusername default 2003/11/21:11:31:58 e "PASV accept failed (15 seconds timeout), no one connects to me at ip:66,57,18,222 port:1502"
66.192.x.x ftpusername default 2003/11/21:11:37:43 l "succeeded"
66.192.x.x ftpusername default 2003/11/21:11:37:59 e "PASV accept failed (15 seconds timeout), no one connects to me at ip:66,57,18,222 port:1502"
66.192.x.x ftpusername default 2003/11/21:11:40:17 l "succeeded"
66.192.x.x ftpusername default 2003/11/21:11:40:34 e "PASV accept failed (15 seconds timeout), no one connects to me at ip:66,57,18,222 port:1502"
127.0.0.1 ftpusername default 2003/11/21:11:42:04 l "succeeded"
66.192.x.x ftpusername default 2003/11/21:11:49:23 l "succeeded"
66.192.x.x ftpusername default 2003/11/21:11:49:39 e "PASV accept failed (15 seconds timeout), no one connects to me at ip:66,57,18,222 port:1502"

ASL Filter LiveLog:

11:40:18 66.193.218.253 54976  ->  66.57.18.222 1502 TCP SYN
11:42:44 66.193.218.253 56417  ->  66.57.18.222 1502 TCP SYN
11:42:47 66.193.218.253 56417  ->  66.57.18.222 1502 TCP SYN
11:42:53 66.193.218.253 56417  ->  66.57.18.222 1502 TCP SYN

ASL Filter Log file:
Nov 21 11:40:09 (none) kernel: TCP Drop: IN=eth4 OUT=  SRC=66.192.x.x DST=66.57.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=31319 DF PROTO=TCP SPT=54976 DPT=1502 WINDOW=64240 RES=0x00 SYN URGP=0
Nov 21 11:40:12 (none) kernel: TCP Drop: IN=eth4 OUT=  SRC=66.192.x.x DST=66.57.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=31334 DF PROTO=TCP SPT=54976 DPT=1502 WINDOW=64240 RES=0x00 SYN URGP=0
Nov 21 11:40:18 (none) kernel: TCP Drop: IN=eth4 OUT=  SRC=66.192.x.x DST=66.57.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=31397 DF PROTO=TCP SPT=54976 DPT=1502 WINDOW=64240 RES=0x00 SYN URGP=0
Nov 21 11:42:44 (none) kernel: TCP Drop: IN=eth4 OUT=  SRC=66.192.x.x DST=66.57.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=32344 DF PROTO=TCP SPT=56417 DPT=1502 WINDOW=64240 RES=0x00 SYN URGP=0
Nov 21 11:42:47 (none) kernel: TCP Drop: IN=eth4 OUT=  SRC=66.192.x.x DST=66.57.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=32370 DF PROTO=TCP SPT=56417 DPT=1502 WINDOW=64240 RES=0x00 SYN URGP=0
Nov 21 11:42:53 (none) kernel: TCP Drop: IN=eth4 OUT=  SRC=66.192.x.x DST=66.57.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=32420 DF PROTO=TCP SPT=56417 DPT=1502 WINDOW=64240 RES=0x00 SYN URGP=0
Nov 21 11:51:49 (none) kernel: TCP Drop: IN=eth4 OUT=  SRC=66.192.x.x DST=66.57.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=33933 DF PROTO=TCP SPT=60742 DPT=1502 WINDOW=64240 RES=0x00 SYN URGP=0
Nov 21 11:51:52 (none) kernel: TCP Drop: IN=eth4 OUT=  SRC=66.192.x.x DST=66.57.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=33936 DF PROTO=TCP SPT=60742 DPT=1502 WINDOW=64240 RES=0x00 SYN URGP=0
Nov 21 11:51:58 (none) kernel: TCP Drop: IN=eth4 OUT=  SRC=66.192.x.x DST=66.57.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=33937 DF PROTO=TCP SPT=60742 DPT=1502 WINDOW=64240 RES=0x00 SYN URGP=0

Things I've done to try to fix it:

Obviously the packets are getting dropped.  I'm not sure why.  I have tried turning on a rule at the top of my rules list that says any any any allow.  This didn't make any difference.

Entire list of packet filter rules:
  2  Wireless_Network PPTP WDMZ_Interface__ Allow
  3  Wireless_Network { netbios } WDMZ_Interface__ Drop
  4  Wireless_Network Any Any Drop
  5  Any ping-request WAN_Interface__ Drop
  6  { Private_Networks_-_RFC1918 } Any WAN_Interface__ Drop
  7  Any Any Internet_Broadcast Drop
  8  Any Any WAN_Broadcast__ Drop
  9  Any Any DMZ_Broadcast__ Drop
  10  Any Any WDMZ_Broadcast__ Drop
  11  Any Any LAN_Broadcast__ Drop
  12  Any SMTP Private_Mail_Server Allow
  13  Any IMAP Private_Mail_Server Allow
  14  Any POP3 Private_Mail_Server Allow
  15  Any Microsoft - TS Private_Web_Server Allow
  16  Any HTTP Private_Web_Server Allow
  17  Any HTTPS Private_Mail_Server Allow
  18  Any HTTP Proxy WAN_Interface__ Allow
  19  Private_Mail_Server DNS Any Allow
  20  Private_Mail_Server SMTP Any Allow
  21  Private_Web_Server DNS Any Allow
  22  Private_Web_Server HTTP Any Allow
  23  Any FTP-Control Private_Web_Server Allow
  24  Any FTP-Data Private_Web_Server Allow
  25  LAN_Network__ Any Any Allow
  26  Any Any Any Log Drop

This thread was automatically locked due to age.

Parents

0 AJo over 21 years ago

Can't see any logical explanation based on the logs ... just some wild guesses =)

I suppose you have set up a SNAT or MASQ rule as well...  [:)]

Now the guessing part...
Are you able to define a static passive address in Raiden? Never used Raiden. But I'd guess that Raiden will return its internal address as the passive address as default. What you want is to have it use the external address as passive as well.

Unless you want to hack the conn track... I think there was a discussion about that in some other thread.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 AJo over 21 years ago

Can't see any logical explanation based on the logs ... just some wild guesses =)

I suppose you have set up a SNAT or MASQ rule as well...  [:)]

Now the guessing part...
Are you able to define a static passive address in Raiden? Never used Raiden. But I'd guess that Raiden will return its internal address as the passive address as default. What you want is to have it use the external address as passive as well.

Unless you want to hack the conn track... I think there was a discussion about that in some other thread.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 uncue75 over 21 years ago in reply to AJo

The DMZ zone has a masq rule.  I'm actually post this from that box.  I've listed all the raiden settings I can change from the gui.  When you go do the server status in the gui, it lists two addresses.

address: my external IP
LAN IP: 192.168.10.2 which is my server's address.

I'm not using some type of dyndns.  I have an SOA record ftp.mydomain.com pointing to my external internet address.  I don't see a place to edit a static passive address.

Any reason why when my ftp client tries to connect to one of the data ports in hte range 1501-1600 the firewall drops the packet.  I think this is where the problem is, I just can't figure out why it's doing it.  even when I have an any any any allow rule enabled.

rule filter log:
Nov 21 11:40:09 (none) kernel: TCP Drop: IN=eth4 OUT= SRC=66.192.x.x DST=66.57.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=31319 DF PROTO=TCP SPT=54976 DPT=1502

client: 66.192.x.x
Server: 66.57.x.x

describe what you mean by hack the conn track?

Thanks for your help!

FTP setup info:
[FTPD]
SERVER_NAME=ftp
SERVER_IP=ftp.mydomain.com
DYN_IP_HOST=
LISTEN_PORT=7200
SSL_PORT=0
SSL_PORT_EXP=0
SSL_VER=0
ALLOW_ANON=0
USE_ANON_MAX=0
ANON_MAX=8
USE_USER_MAX=1
USER_MAX=32
USE_MAXUSER_PER_IP=1
MAXUSER_PER_IP=1
IPCHK=0
IPCHK_DATA=0
PASV_IP_ROLLING=0
XTRA_IPS=
XCLU_IPS=
AUTO_CHOOSE_IP=1
VFSFILE=d:\Program Files\RaidenFTPD\default.vfs
USRFILE=d:\Program Files\RaidenFTPD\default.user
IPFILE=d:\Program Files\RaidenFTPD\default.allow
USE_DATAPORT_RANGE=1
PORT_FROM=1501
PORT_TO=1600
TIMEOUT=600
OUTLIMIT=0/0
OUTLIMIT_RECORD=0/0
INLIMIT=0/0
INLIMIT_RECORD=0/0
SHOWHIDDEN=1
MSG=1
LOG=1
LOGNAME=daily
ENCRYPT_LOG=0
UTF8_LOG=1
DIRMSG=0
DIRMSGFILE=
USE_MEM_DB=0
DUPECHK=0
DUPECHKDB=
DUPECHKSHOWFULL=0
OVERWRITE_COMPLETE=1
DNS_LOOKUP=1
SFV_CHK=1
ZIP_CHK=1
SHOW_ITEM_NO_R=0
ANTI_NOOP=1
ANTI_HAMMER=0/10/3/60
GLOBAL_DLSPD=0
GLOBAL_ULSPD=0
ODBC_ENABLED=0
ODBC_USERDB=0
ODBC_CMDLOG=0
ODBC_DLLOG=0
ODBC_ULLOG=0
ODBC_DIRLOG=0
ODBC_EVENTQUEUE=0
ODBC_SERVERSTATS=0
ODBC_DSN=raidenodbc
ODBC_USR_TABLE=users
onNewDir=
onDelDir=
onDeledDir=
onMoveDir=
onUserConnect=
onUserLogin=
onUserLoginFailed=
onSmartBan=
onUserLogout=
onFileUploaded=
onFileUploadFailed=
onSfvUploaded=
onSfvFailed=
onSfvSuccess=
onSfvPreDelete=
onSfvComplete=
onFileDownloaded=
onFilePreUpload=
onFilePreDownload=
onFilePreDelete=
onFileDeleted=
onMp3Uploaded=
onZipUploaded=
onEveryDay=
onPreCwd=
onNukeDir=
onUnNukeDir=
onSiteCmd=
onSiteCmd2=
onSiteCmd3=
onSiteCmd4=
BOUNCERIP=
VLS_FORWARD_CLNT_IP=0
EXCEPT_SITE_CMD_R=
EXCEPT_SITE_CMD_S=
EXCEPT_SITE_CMD_N=
EXCEPT_SITE_CMD_G=
Cancel
Vote Up 0 Vote Down

Cancel
0 AJo over 21 years ago in reply to uncue75

[ QUOTE ]
describe what you mean by hack the conn track?

[/ QUOTE ]See this thread: Problem opening 6969-7169

I know what you are trying to do can be done... since I'm doing it myself without any conn track hacks. By using DNAT for ftp control and ftp data (range) to a internal glftpd server. And corresponding SNAT rules.
Cancel
Vote Up 0 Vote Down

Cancel