WinGate Forums

[npickles]

I have a very specific problem that I am trying to resolve and have been pointed in the direction of using a proxy server to accomplish it. Apologies if this is a dumb question but I have no working knowledge of proxies but plenty of knowledge of TCP/IP & networking in general.

The scenario is as follows:-
On a private network a windows client wishes to send a file via active mode ftp to a remote ftp server located elsewhere on the internet. The client's default gateway router is attached to the Internet but with a very locked down config that cannot easily be altered. There are very limited open ports both outbound and inbound and there cannot be vast swathes of open inbound ports, that is just not allowed.

The big issue here is the Active Mode FTP but that cannot be changed as it is embedded in a commercial application that we just have to work with.

With the current non proxied setup, when using active mode FTP the client connects from a random local port (x) to the server ftp port (6001 in this case) and authenticates itself. The server then attempts to connect back to the client on port (x+1) for the actual data transfer. The problem is that port (x+1) isn't open for inbound traffic on the clients gateway router and as a result it fails. We have no way to control the random local port number that is used when initiating the connection and therefore have no way to make this work, all we can control is the port number to connect to on the FTP server.

Would a proxy server help in this situation, I am led to believe that it would but I don't know how myself, can you help enlighten me ?
Would using a proxy essentially enable the ports used between the client and proxy to be fixed and thus configurable in the gateway router config while the proxy to FTP server comms happens outside the firewall without the port restrictions ?

[adrien]

Hi

Any firewall worth its salt will actually inspect traffic and handle active FTP. However by running the main FTP control channel over a non-standard port, this is probably being bypassed.

With active mode FTP through a firewall, the firewall has to alter the PORT request to the server, since it replaces the internal client's IP with its own external one. It usually assigns a local port and changes this as well, so that the return connection from the server can be relayed inwards.

I'm pretty sure the firewall you're using if it's made by anyone reputable in the last 15 years would be able to do this.

If you can't use port 21 for FTP, you may be able to configure the firewall to do FTP application handling on the port you are using.

Have you tried just using port 21?

Otherwise it's all down to the firewall. If the client can't use PASV mode, and the firewall can't do FTP handling, you'd need some intermediary to convert Active mode to PASV in between. WinGate doesn't have an option for this, although it would be fairly simple to add.

My first recommendation would be to try port 21.

Regards

Adrien

[adrien]

p.s. you can't rely on anything about the source of the return connection. It can even be a different IP. You definitely can't rely on source port being (x+1). It may be reliable in your case with the particular server, but in general it's ephemeral so the port will depend on other TCP load on that server.

So basically the only way active FTP can work reliably through a firewall is if the firewall specifically supports it.