Hi!
Wingate and FTP running on same machine. Allow TCP for 20-21.
When I start the computer everything is fine. FTP is working. FTP clients and browsers can login.
But after a several hours, browsers can not login anymore. List command does not seem to work anymore.
I can see Firewall blocks some trafic on ports above 3000. So why suddently browsers tries to use random ports above 3000 for FTP?
When I stop Wingate service everyhing is OK, when I start it back again browsers can not login. If I restart compter everything works for a few hours and the story repeates.
What can I do?
Thank you
Best Regards,
Dali
After several hours web-browsers can not login FTP anymore
Moderator: Qbik Staff
8 posts
• Page 1 of 1
After several hours web-browsers can not login FTP anymore
by kdiamond » Jul 11 06 1:02 pm
- kdiamond
- Posts: 20
- Joined: Dec 22 05 2:57 pm
by genie » Jul 11 06 6:55 pm
Most probably your situation is this:
You have an allowed port range (say, 1024-3000) - these are the ports that are allowed through the firewall. Since ports are sometimes reused and sometimes are not, your FTP server starts using ports outside this 1024-3000 range for data channel. Can you force the FTP server to use active mode only or passive mode on some predefined port (20 default)?
You have an allowed port range (say, 1024-3000) - these are the ports that are allowed through the firewall. Since ports are sometimes reused and sometimes are not, your FTP server starts using ports outside this 1024-3000 range for data channel. Can you force the FTP server to use active mode only or passive mode on some predefined port (20 default)?
- genie
- Qbik Staff
- Posts: 1788
- Joined: Sep 30 03 10:29 am
by kdiamond » Jul 11 06 9:11 pm
Hi!
Thank you for your fast reply
I have to say that I use Serv-U Ftp client on other setups without any problem. For an example. Linux Brazil-FW Gateway and Serv-U are working fine. Only here with WG it stops after several hours.
No I don't. Shoud I allow those ports?
Can you force the FTP server to use active mode only or passive mode on some predefined port (20 default)?
Allow passive mode data transfers is all there is.
But why does it work for about 10 hours and then stops? Why after reboot works again for approx. 10 hours?
Best Regards,
Dali
Thank you for your fast reply
I have to say that I use Serv-U Ftp client on other setups without any problem. For an example. Linux Brazil-FW Gateway and Serv-U are working fine. Only here with WG it stops after several hours.
You have an allowed port range (say, 1024-3000) - these are the ports that are allowed through the firewall
No I don't. Shoud I allow those ports?
Can you force the FTP server to use active mode only or passive mode on some predefined port (20 default)?
Allow passive mode data transfers is all there is.
But why does it work for about 10 hours and then stops? Why after reboot works again for approx. 10 hours?
Best Regards,
Dali
- kdiamond
- Posts: 20
- Joined: Dec 22 05 2:57 pm
by kdiamond » Jul 12 06 7:29 am
What version of Wingate are you using, by the way?
Don't know exactly, because I'm not at location, but I'm sure it's 6.x.x
But since now all I had to do is to forward port 21, no mattter what router, gateway I was using and there were no problems. Why is it diferent here?
What does ports above 1000 has to do with FTP whnich works on 21?
Br,
Dali
- kdiamond
- Posts: 20
- Joined: Dec 22 05 2:57 pm
by adrien » Jul 12 06 6:56 pm
FTP uses 2 connections, a control channel connection on port 21, then every time you do a list or a file transfer, it opens a new data connection.
It's this data connection that is being blocked after a while.
There are 2 modes of data transfer, normal and PASV.
Normal: the client sends a PORT command, and the server connects back to the client on the port number that was sent by the client.
PASV: the client sends a PASV command, the server opens a new port, and tells the client the port number, then the client connects to the server on this port.
With this second mode, then every time the PASV command is sent, a new port number is allocated by the operating system (unless the FTP server allows you to specify the port number that must be used).
Adrien
It's this data connection that is being blocked after a while.
There are 2 modes of data transfer, normal and PASV.
Normal: the client sends a PORT command, and the server connects back to the client on the port number that was sent by the client.
PASV: the client sends a PASV command, the server opens a new port, and tells the client the port number, then the client connects to the server on this port.
With this second mode, then every time the PASV command is sent, a new port number is allocated by the operating system (unless the FTP server allows you to specify the port number that must be used).
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by kdiamond » Jul 13 06 1:17 pm
Hi Adrien.
Thank you for explaining how it works.
No, Serv-U FTP server has no setting to specify an aditional port for PASV mode. I've never saw it nor had to use it.
So since Serv-U has no such an option, what can I do?
I can not just allow port range from 1000 - 3000, in case FTP decides to use that any port in between.
Till now I always forwarded port 21 and it always worked without any problems and it works on numerous other setups while we speak. That's a fact. Other firewals don't need any aditional port (beside 21) to be opened for browsers to login FTP. Therfore I assume it must be Wingate specific case.
So, port 21 opend, FTP has no option to set the PASV port, browser can not login. What would you do?
Thank you
Br,
Dali
Thank you for explaining how it works.
(unless the FTP server allows you to specify the port number that must be used)
No, Serv-U FTP server has no setting to specify an aditional port for PASV mode. I've never saw it nor had to use it.
So since Serv-U has no such an option, what can I do?
I can not just allow port range from 1000 - 3000, in case FTP decides to use that any port in between.
Till now I always forwarded port 21 and it always worked without any problems and it works on numerous other setups while we speak. That's a fact. Other firewals don't need any aditional port (beside 21) to be opened for browsers to login FTP. Therfore I assume it must be Wingate specific case.
So, port 21 opend, FTP has no option to set the PASV port, browser can not login. What would you do?
Thank you
Br,
Dali
- kdiamond
- Posts: 20
- Joined: Dec 22 05 2:57 pm
8 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 15 guests