WinGate Forums

[SarekHL]

Dear Sirs,

I use WinGate 6.1.4 (Build 1099) and appreciate it as a reliable programm. At "Extended Networking" I configured the "port-security" to reject connections from the internet by default.

Now I wanted to run a little tool on my server. That tool should download a logfile from an ftp-server on the internet every night. The tool therefor uses the ftp.exe which is integrated in windows. Unfortunately this ftp.exe does not support the passive mode. So the FTP-server on the internet actively tries to connect to my server - and fails, because WinGate blocks the connection. Due to the quirk of the FTP-protocol not to use a fixed port I would have to open every port between 1024 and 65535 for incoming connections. For security reasons that is of course not desired.

Are there any other possibilities? Can I for example gererally allow any incoming connection from a specified IP-address, independent from the configuration at "portsecurity"? Or can I add a portsecurity-rule which is only active between 5 and 6 o'clock?

I hope my english is understandable ...


Yours sincerely,
Andre Meyer
(Germany)

[logan]

Hi Andre,

Yes, it is possible to open ports to the internet in WinGate, but only allow certain IP addresses on the Internet to connect in, but the port range surely is not 1024 to 65535. I'm sure you could get away with the standard ephemeral port range of 1024 -> 4999.

However, before I go into detail, have you considered using a command-line FTP client other than the built-in ftp.exe? One such client that is often brought up as an alternative to ftp.exe is NcFTP. This was created in 1991 originally for UNIX based systems, but has since been ported to Windows. You can find more details on the NcFTP website.

Home: http://www.ncftp.com/
Downloads: http://www.ncftp.com/download/


If using an alternative client exe is not an option, here's how to open a port range in the firewall but restrict it to a specific IP address.

1. First, you need to create the policies that restrict the active FTP ports to a specific IP address.

- Gatekeeper -> System -> Extended Networking -> Policies
- Change the default rights to are ignored
- Remove any existing policies

Create a policy that allows access for all private IP ranges:
- Click Add to make a new policy
- Leave the General tab how it is and goto the Location tab
- Select "Specify locations from where this recipient has rights"
- Enter 192.168.* in the "Included locations" inputbox and click Add
- Enter 172.16.* in the "Included locations" inputbox and click Add
- Enter 10.* in the "Included locations" inputbox and click Add
- Enter 127.0.0.1 in the "Included locations" inputbox and click Add
- Click OK to finish making the policy

Now create a second policy that allows access for internet computers, but restricts access to the FTP ports (1024 -> 4999) to a specific IP address (in this example I use (123.123.123.123):
- Click Add to make a new policy
- Leave the General tab how it is and goto the Advanced tab
- Select "Specify which requests this recipient has rights for"
- Click Add Filter, then add a Criterion to the filter that states [This criterion is met if Server Port is less than 1024]
- Add a second filter, then add a Criterion to the filter that states [This criterion is met if Server Port is greater than 4999]
- Add a third filter, then add a Criterion to the filter that states [This criterion is met if Server Port is greater than 1024]
- Add another Criterion to the third filter that states [This criterion is met if Server Port is less than 4999]
- Add another Criterion to the third filter that states [This criterion is met if Client IP equals 123.123.123.123]
- Click OK to finish making the policy


2. Now that your access policies are setup, you can open ports 1024 -> 4999, or whatever port range you chose to use. These ports will only be accessible by the IP address you specified.


Now that everything is setup, it would pay to check your server from a different internet connection to make sure it is secure.