1. Home
  2. Networking Firewalls
  3. firewall problem with ftp

firewall problem with ftp

Now that I am on a DSL I take firewall based security more seriously. However, my ftp programs are giving me fits. Neither cuteFTP nor FileZilla will work properly - I get a failure to logon msg back from my ftp server. This is clearly a firewall (Win XP) issue because this problem goes away and I can login fine when I simply disable the filewall (via Wscui.cpl). I have a suspicion that some handshake verification or authorization transfer back from the ftp site is being blocked.

Never had this problem with my dialup.

I have used netstat and taskslist to determine the ports being used by cuteFTP and have tried making its primary port an exception on the firewall list. I have also tried putting the ftp program itself on the firewall exception list. Neither helped. Yes, the ftp program does use some other ports above 1024, but since these are variable, trying to add them to a port exception(s) list is not going to work.

Anyone out there perhaps have a suggestion for getting deeper into this issue and zeroing in on the problem? Are there, for example, some secondary Windows programs required for ftp that I need to put on an exception list?

Machine - AMD athlon dual; Windows XP-SP2, FIREFOX and/or Netscape browser, ATT DSL; ftp apps tried are: cuteFTP, FileZilla, ATT ftp.

Thanks!! Dr. Bob

Reply to
Dr. Bob
Loading thread data ...

"Dr. Bob" wrote in news:sUjah.364588 $ snipped-for-privacy@bgtnsc04-news.ops.worldnet.att.net:

Most FTP clients have a setting to enable passive mode. This may work for you.

Reply to
John Gray

Thank you, John -

Yes, that is my current sett>>

Reply to
Dr. Bob

Did you check whether the server you're connecting to does support passive mode?

Try running a sniffer to see what data is actually transmitted.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

"Dr. Bob" wrote in news:mCnah.108395 $ snipped-for-privacy@bgtnsc05-news.ops.worldnet.att.net:

I was hoping that would get it for you. I've used PASV mode on Internet Explorer and GetRight for some time. This was with ZoneAlarm on Win95a.

I currently using the latest GetRight on WinXp Pro SP2 with Sygate Personal as the software firewall. I'm also behind a NAT router and have no problems at all. I don't like Windows Firewall at all.

Reply to
John Gray

for a good sniffer try ethereal

formatting link
- be sure to install winpcap

Reply to
john smith

You're running Sygate Personal Firewall. I'd consider this a very serious problem, both for security and stability.

And why?

Reply to
Sebastian Gottschalk

You sure the ISP is going to allow FTP on its network.

Duane :)

Reply to
Mr. Arnold4

I didn't read that part well up above. The XP FW doesn't block outbound only inbound. So, that does seem like the culprit.

If you were on dial-up, were you using the XP FW then?

I doubt it. What ports are these FTP programs using.

Duane :)

Reply to
Mr. Arnold4

Blocking inbound traffic in conjunction with stupid protocols like FTP, well that's pretty likely the problem.

Reply to
Sebastian Gottschalk

Ethereal was renamed to Wireshark [1] almost half a year ago. WinPcap is included with the Windows installer.

[1]
formatting link
cu 59cobalt
Reply to
Ansgar -59cobalt- Wiechers

There are far more reasons to dislike Sygate than there are to dislike the Windows-Firewall. Sygate opens ports (probably for IPC) on all interfaces, and also runs an interactive service with SYSTEM privileges, which probably makes it vulnerable to Shatter Attacks.

And just because Leythos will surely come up with this really stupid "argument" again: yes, the Windows-Firewall allows a user to place exceptions in it, provided the user has ADMINISTRATOR privileges. In which case every other personal firewall will fail as well at preventing a malicious user (or malware) from poking holes in it.

A system cannot be protected from its administrator. Any attempt at that will either fail or result in the administrator no longer being the administrator.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

I'd still recommend to get the latest WinPCap (4.0 beta 2).

Reply to
Sebastian Gottschalk

First of all - thanks to all of the above for the helpful suggestions. Yes, it is an inbound verification block in all likelihood. I have a work-around for the moment. I will be happy to have additional comments and suggestions if anyone has dealt with similar issues of their own.

The excellent ftp overview by Mike Gleason

formatting link
is a valuable resource and as soon as I fully understand it I think the solution will be apparent. Unfortunately, I (and many others evidently) think it is a Windows XP firewall implementation issue that may relate in part to how specific ftp sites deal with ephemeral port assignments and may thus go deeper than settings adjustements at my end.

Keep on.......

Sebastian Gottschalk wrote:

Reply to
Dr. Bob

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.