FTPS, firewall and ports

Advertisement

George
Guest

FTPS, firewall and ports

Hi,

I'm using WINSCP (version 4.2.3 (build 494)) from an ASP.NET console app. connecting to an FTPS server, behind a firewall. The trouble I'm facing is: when I open only 990 (SSL) and 21 (FTP) ports for the corresponding IP it doesn't connect, I get time out error. If I open all ports is fine, of course, but I can't have all the ports open, very sensitive server. I've run some tests with a sniffer and got erratic behavior: every single session I've open has used different ports to "talk" to server and back, started with 4700 then when to 4913 and so on. I'm not sure if this is because of WINSCP or is generated by the remote FTP server. I don't have any control on the remote server and not sure what are they using there.
Any ideas?

Thanks in advance
George

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: FTPS, firewall and ports

With FTP protocol in the default active mode, the server initiates connection back to client to transfer data. If you want to avoid that, switch to passive mode.

Reply with quote

Guest

Re: FTPS, firewall and ports

Hi Prikryl

Thank you so much for looking at this request. I think I'm already using passive mode:

"open username:password@ftp.mydomain.com -implicit -passive"

Isn't "-passive" doing just that?

Cheers
George

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: FTPS, firewall and ports

Please post a full log file showing the problem.

To generate log file, enable logging, log in to your server and do the operation and only the operation that causes the error. For posting extensive logs you may use pastebin or similar application. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you may email it to me. You will find my address (if you log in) in my forum profile. Please include link back to this topic in your email. Also note in this topic that you have emailed the log.

Reply with quote

George
Guest

Re: FTPS, firewall and ports

martin wrote:

Please post a full log file showing the problem.

Hi Prikryl,

I've closed off ports on the server, keeping only 990 and 21 open as well as 4090 (picked up at random). Then I've tried to log in into the remote ftp server and here's the log:

. 2010-02-23 11:45:44.796 --------------------------------------------------------------------------
. 2010-02-23 11:45:44.796 WinSCP Version 4.2.3 (Build 494) (OS 5.2.3790 Service Pack 2)
. 2010-02-23 11:45:44.796 Login time: Tuesday, 23 February 2010 11:45:44 AM
. 2010-02-23 11:45:44.796 --------------------------------------------------------------------------
. 2010-02-23 11:45:44.796 Session name: name
. 2010-02-23 11:45:44.796 Host name: ftp.DOMAIN.COM (Port: 990)
. 2010-02-23 11:45:44.796 User name: UNAME (Password: Yes, Key file: No)
. 2010-02-23 11:45:44.796 Tunnel: No
. 2010-02-23 11:45:44.796 Transfer Protocol: FTP
. 2010-02-23 11:45:44.796 Ping type: C, Ping interval: 30 sec; Timeout: 150 sec
. 2010-02-23 11:45:44.796 Proxy: none
. 2010-02-23 11:45:44.796 FTP: FTPS: Implicit SSL/TLS; Passive: Yes [Force IP: No]
. 2010-02-23 11:45:44.796 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2010-02-23 11:45:44.796 Cache directory changes: Yes, Permanent: Yes
. 2010-02-23 11:45:44.796 DST mode: 0
. 2010-02-23 11:45:44.796 --------------------------------------------------------------------------
. 2010-02-23 11:45:44.984 Connecting to ftp.DOMAIN.com:990 ...
. 2010-02-23 11:45:45.203 Connected with ftp.DOMAIN.com:990, negotiating SSL connection...
. 2010-02-23 11:45:45.421 SSL connection established. Waiting for welcome message...
< 2010-02-23 11:45:45.421 220-Microsoft FTP Service
< 2010-02-23 11:45:45.421 220 Company name FTP Service
> 2010-02-23 11:45:45.421 USER UNAME
< 2010-02-23 11:45:45.453 331 Password required for UNAME.
> 2010-02-23 11:45:45.453 PASS ********
< 2010-02-23 11:45:45.546 230-Authorised Users Only.
< 2010-02-23 11:45:45.546 230 User logged in.
> 2010-02-23 11:45:45.546 SYST
< 2010-02-23 11:45:45.593 215 Windows_NT
> 2010-02-23 11:45:45.593 FEAT
< 2010-02-23 11:45:45.625 211-Extended features supported:
< 2010-02-23 11:45:45.703 LANG EN*
< 2010-02-23 11:45:45.703 UTF8
< 2010-02-23 11:45:45.703 AUTH TLS;TLS-C;SSL;TLS-P;
< 2010-02-23 11:45:45.703 PBSZ
< 2010-02-23 11:45:45.703 PROT C;P;
< 2010-02-23 11:45:45.703 CCC
< 2010-02-23 11:45:45.703 HOST
< 2010-02-23 11:45:45.703 SIZE
< 2010-02-23 11:45:45.703 MDTM
< 2010-02-23 11:45:45.703 REST STREAM
< 2010-02-23 11:45:45.703 211 END
> 2010-02-23 11:45:45.703 OPTS UTF8 ON
< 2010-02-23 11:45:45.703 200 OPTS UTF8 command successful - UTF8 encoding now ON.
> 2010-02-23 11:45:45.703 PBSZ 0
< 2010-02-23 11:45:45.703 200 PBSZ command successful.
> 2010-02-23 11:45:45.703 PROT P
< 2010-02-23 11:45:45.734 200 PROT command successful.
. 2010-02-23 11:45:45.734 Connected
. 2010-02-23 11:45:45.734 --------------------------------------------------------------------------
. 2010-02-23 11:45:45.734 Using FTP protocol.
. 2010-02-23 11:45:45.734 Doing startup conversation with host.
> 2010-02-23 11:45:45.734 PWD
< 2010-02-23 11:45:45.765 257 "/remotefolder" is current directory.
. 2010-02-23 11:45:45.781 Getting current directory name.
. 2010-02-23 11:45:45.781 Retrieving directory listing...
> 2010-02-23 11:45:45.781 TYPE A
< 2010-02-23 11:45:45.812 200 Type set to A.
> 2010-02-23 11:45:45.812 PASV
< 2010-02-23 11:45:45.859 227 Entering Passive Mode (XXX,XX,XXX,XX,19,54).
> 2010-02-23 11:45:45.859 LIST -a
< 2010-02-23 11:45:45.906 150 Opening ASCII mode data connection.
. 2010-02-23 11:45:46.859 Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it.
. 2010-02-23 11:45:46.875 Could not retrieve directory listing
> 2010-02-23 11:46:15.921 REST 0


Please note I've removed IP (the XXXs) and other sensitive info. Thanks again and much appreciated.

George

Reply with quote

Advertisement

George
Guest

Re: FTPS, firewall and ports

Hi Prikryl,

I think I've answered my questions, after reading some very interesting "IIS literature".
The remote ftp server has "Data Channel Port Range" which I'm guessing will be in 4900-4910 and those ports need to be open in the firewall.

Cheers
George

Reply with quote

Advertisement

You can post new topics in this forum