extended passive FTP blocked

[jeanse]

Hi All,

Concerns: VPN-1/FW-1 NG R55
Problem: extended passive FTP blocked by firewall

Symptoms:

The client initiates an FTP connection (from port X to port 21).
When the client issues the 'ls' command, the server asks the client to enter extended passive mode. At the mean time, the server indicates a high port number Y to be used.
The client initiates a new connection from port X+1 to port Y.
This last connection is not recognized and is dropped by the 'cleanup' rule.

What has been done:

Allowing FTP or FTP-pasv or FTP-dir or FTP_mapped or FTP_port in the Rule Base does not help.
The port Y is not included in the table called tcp_services, and anyway option 'allow data to all defined services port' is checked.

Any help appreciated!
Thank you,

Jeanse

[Lackie]

Find out what range of ports the server will use and then put in a rule to allow the clients to go out with those ports.

[jeanse]

Hi,

Well, the range of ports that the server uses is dynamic and quite broad, so i would prefer not to use this solution for security reasons. Passive FTP is quite common, so it is surprising that it is dropped by the firewall. Would there something to modify in the base.def file or in any other configuration file?

Thanks,

Jeanse

[Sergej]

Quote:

Originally Posted by Lackie

Find out what range of ports the server will use and then put in a rule to allow the clients to go out with those ports.

Is it known issue? All my network life I thougth that hangling FTP sessions are trivial task and all firewals and NAT boxes can do this.

jeanse:
Please check what is the default value for of the service the protocol type protocol under FTP advanced properties is set to. Use demo mode GUI connection for this.