FTP hosting

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

FTP hosting

Postby Remco79 » Oct 10 03 8:14 am

Hello

I have an FTP site (IIS) running on the wingate server (w2k pro SP4).
(non-proxy traffic is redirected via ftp proxy to the port where the ftp server is running on)
Is it possible with wingate/ENS to block incoming traffic on ports 1024-5000 and also use passive FTP ?

(ref:http://grc.com/port_1024.htm)
Remco79
 
Posts: 9
Joined: Oct 02 03 10:13 am

Postby adrien » Oct 10 03 1:41 pm

It should be possible, if you wish to use PASV to connect to the FTP server from the outside with many FTP servers you can specify the port number to use, then you simply open this port on the firewall.
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby Remco79 » Oct 11 03 4:36 am

I'm using IIS5.0 which (I think) can not be configured to use alternate PASV FTP data ports.

from http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html :
(...)
Client: PASV The client is asking where he should connect.
Server: 227 Entering Passive Mode (172,16,3,4,204,173)
( The server replies with port 52397 on IP address 172.16.3.4. )
Client: LIST
Server: 150 Data connection accepted from 172.16.3.4:52397; transfer starting.
( The client has now connected to the server at port 52397 on IP address 172.16.3.4. )

(...)

Solution 2: The network administrator of the server network can consult the firewall vendor's documentation to see if FTP connections can be dynamically monitored and ports dynamically opened when a passive FTP connection is detected. This is similar to what intelligent network address translation software can do on the client side for PORT -- the FTP control connections are monitored, and when a packet containing "PASV" from an FTP session is detected, the firewall can automatically open the port.

Using our PASV example above, when the FTP server replies to the PASV request:

Server: 227 Entering Passive Mode (172,16,3,4,204,173)

The firewall would then parse the request and find that the client will be instructed to connect to port 52397 on the address 172.16.3.4. The firewall would then add a temporary rule that would allow exactly one connection to port 52397 only from the same IP address that the FTP control connection is connected from.
(...)


Can Wingate be configured to handle these requests as described above?

Regards,
Remco
Remco79
 
Posts: 9
Joined: Oct 02 03 10:13 am

Postby adrien » Oct 11 03 4:38 pm

it does do this but not for inbound to the local machine using PASV unfortunately.

If you were running the FTP server on another machine, and used an ENS redirect to get to it, then it would work, but connections up to the local stack are not filtered after they have passed a security check.

If you can configure your FTP server to use always the same port to respond to PASV commands (most FTP servers allow you to do this), then you can open that port number in WinGate ENS.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby Remco79 » Oct 12 03 2:50 am

(I contacted Microsoft about changing the PASV data port range on IIS5.0. No answer yet...)

Will it be impossible if the server's PASV data listening port range isn't changable ?
Can "another machine" also be the internal interface of the Wingate server?

it does do this but not for inbound to the local machine using PASV unfortunately.
Will it maybe be supported in a future version ?

(Excuse me for asking so many questions)

Remco
Remco79
 
Posts: 9
Joined: Oct 02 03 10:13 am

Postby adrien » Oct 12 03 4:49 pm

with the current version it would be impossible, unless you open a whole heap of ports that the server may listen on if it will be dynamic.

We will be putting this in for another release.

As for redirecting to another interface, I think it won't create a hash entry for that either... not sure though - you could try.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby Remco79 » Oct 13 03 2:28 am

Thank you for your help.

Remco
Remco79
 
Posts: 9
Joined: Oct 02 03 10:13 am


Return to WinGate

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 34 guests