WinGate Forums

[JML]

Hello,

i have trouble using ms-ftp command line utility. the user, pwd and cd commands work fine, bute when i submit ls, dir or put commands, the ftp utility hangs after showing a message like "opening ascii mode data connection for ...".

If i don´t use wingate (for example a dialup connection) everything works fine. I´m using wingate 4.5.1 with ens enabled, but with standard configuration.

Can i change some settings in wingate to solve the problem ?

Thanks for any suggestions

[genie]

Hi,

Are you running the client from the same machine Wingate is installed or from one of the client machine?

[inthesands]

I am also getting this same problem.
If I setup another machine on the same subnet as the ftp server, it works correctly.

But if I try to connect to the FTP server via wingate, or even on the wingate machine itself, I get this same problem.


Can log into the FTP server ok (shows Wingate engine FTP Engine ready), I then log in woth the correct user and password on the FTP server (which is a Microsoft server), and it lets me log in.

I can use the pwd command, I can use the cd command to change to a known directory.

BUT use ls or dir, and it will just die.

[genie]

What version of Wingate are you using?

[inthesands]

Wingate 6.0.1

This also has the effect, if you connect via ftp in IE that it will also hang, trying to "get contents of folder"

Connect directly to server, and NOT via wingate, it works perfectly.

It's like there is no return channel of info or something?

[genie]

Apparently you were trying proxied connection, right? What proxy settings do you have in IE?

[inthesands]

I had all IE's proxy set to use Wingate.

But, I also setup my pc to go direct, ie via NAT.


But I have figured it out, I could see in the Wingate Firewall log window, that a reply was coming back via port 1654. So I Setup Port Security in Extended Networking, to let any port from 1024 to 4096 to come into the Wingate (all was denied by fault). This works. If I allowed only 21, it wouldn't work. So I denied all again, and it fails, but the port the FTP server replied back on was a different port than 1654 (as above). Next time it came in at 1670, another time 1666.

In my case, I have the FTP in a DMZ. So I only want to allow ONLY ftp port 21 to go out, but this doesn't work. Open all out above 1024, and it does.

[genie]

If you use ftp client from Wingate and the client uses active mode than you do require to open those ports - otherwise Wingate does not know that the certain ports should be allowed to listen on.
As of the proxying problem - what OS do you run on the client?

[inthesands]

I have tried, using the ftp from the DOS command prompt.
I tested on XP, W2k. Same result.

So, in the DMZ, does this mean I HAVE to allow above ports 1024 to be open?
That seems very insecure. Or is that for only what can go OUT the dmz, i.e only port 21 should be coming IN?

[genie]

Well, it is not very secure, I agree - but that's only for DMZ, though.
Another alternative would be using passive mode, which is more secure.

[inthesands]

But how can I ensure/force external clients to connect in passive mode?

How can I force the command based ftp to be in passive mode?

[genie]

External clients are of no improtance for you if you have your FTP server in DMZ. If you server is on Wingate machine, then you need to either have a proxy set up (because Wingate proxy then controlls what ports are to be opened in firewall in order for clients to use it) or have your server run in active mode only - so the external client will then use active mode and the server will connect to them automatically opening and closing holes in the firewall.

[inthesands]

But having the FTP server in the DMZ still exhibits this problem. Or, I have the DMZ setup wrong.

I can see traffic from the ftp server go through Wingate. Surely that is correct?
Otherwise, any server in the DMZ would be totally open to the Internet. And I can vouch, it takes a bot 10 minutes for a w2k machine directly connected to the Internet, to become compromised.

I thought having the www and FTP servers behind Wingate in the DMZ gave them some protection?

[genie]

A! But you have to open those ports for routing them to DMZ!

[inthesands]

Which brings me the full circle, if I don't have ports above 1024 open in the dmz, then ftp via the command line, doesn't work properly when the client connects from the Internet, THROUGH wingate to the FTP server in the DMZ.

[genie]

Hold on a second - wingate is supposed to honor FTP application processing - can you capture traffic from the client and the server and send it to me?

[genie]

Correction - I was wrong in my last post - DMZ traffic is not processed as being an application traffic - my comment was incorrect.

[genie]

Yes, you have to open those ports - but since they are opened for DMZ traffic only then the only vulnerable part (and only if you have anything working on this ports on DZM machine) would be the DMZ machine itself.

[inthesands]

So bottom line, and this for original poster of this topic, you need to allow above ports 1024 OUT from your FTP server. Then it will work.


Genie, is there a way of getting an FTP server to always respond within a port range, so I can narrow down the open ports?

[genie]

Yes - in many FTP servers there is a configurable parameter that at least commands it to use port 20 only for outbound connections - just like the passive mode does.

Just an aside note - you can install NetPatrol v1.1 in parallel to your wingate machine and allow it to block suspicious connections - then even if your DMZ machine is about to be compromised, you have a fair chance to block the intruder before something happens or be notified about the suspicious activities.