zoooom 0 Posted August 6, 2002 Hello and thank you for reading. I have an iis ftp server running behind a freebsd firewall. When clients try to connect via pasv mode the ftp client is attempting to connect to the internal ip number 10.x.x.x Ive been scowering the web looking for solutions with no avail. In freebsd the firewall uses ipnat. I could not find a way to get ipnat to do an ftp translation ( convert the internal ip to global ). Is there a way in iis to set the ip that is sent to the client to use in passive mode? In g6ftp there is such options to where you can set this ip and a port range. Or if you know ipnat any suggestions would be usefull. Thank you for your time. Share this post Link to post
clutch 1 Posted August 7, 2002 How about just not having the clients use PASV mode? It's what I do for the IIS FTP boxes that I run behind firewalls. Some client apps default to PASV first, then run normal while others (like IE) will run in the opposite. If you need a good client for connecting to IIS boxes I recommend SmartFTP (www.smartftp.com). It's fast, and free. You can disable PASV mode globally or simply bookmark the servers that you want to connect to and set the mode individually. Share this post Link to post
zoooom 0 Posted August 8, 2002 Quote: How about just not having the clients use PASV mode? It's what I do for the IIS FTP boxes that I run behind firewalls. Some client apps default to PASV first, then run normal while others (like IE) will run in the opposite. If you need a good client for connecting to IIS boxes I recommend SmartFTP (www.smartftp.com). It's fast, and free. You can disable PASV mode globally or simply bookmark the servers that you want to connect to and set the mode individually. The problem with this... if the client is on a firewall then they cant use port mode. Specifically some routers have this problem. THe linksys in my office will do ftp translation to modify the port string to allow port mode. HOwever not all firewalls do this... the problem with ftp... is the addresses are sent in the packets... like the ftp client will send a port command PORT 10,0,10,1,20,486 meaning connect on 10.0.10.1 which is the internal ip. Which the server cannot connect to. Good firewalls will translate this. But not all of them do. So hosting companies must allow pasv mode for clients behind a firewall. Share this post Link to post
zoooom 0 Posted August 8, 2002 Quote: Quote: Hello and thank you for reading. I have an iis ftp server running behind a freebsd firewall. When clients try to connect via pasv mode the ftp client is attempting to connect to the internal ip number 10.x.x.x Ive been scowering the web looking for solutions with no avail. In freebsd the firewall uses ipnat. I could not find a way to get ipnat to do an ftp translation ( convert the internal ip to global ). Is there a way in iis to set the ip that is sent to the client to use in passive mode? In g6ftp there is such options to where you can set this ip and a port range. Or if you know ipnat any suggestions would be usefull. Thank you for your time. Could you not punch a "rule/hole" into your NAT firewall forwarding in FTP ports being used allowing them ingress if need be for your clients using PASV clientside initiated communication? MOST firewalls systems have configurations files especially in the UNIX world you just have to toy with... I think netconfig.exe in Linux does this for you though, & in XP's native firewall its in its properties to punch in new rules etc. for stuff like this! (Clutch's suggestion is a decent one too... look into it as well!) * APK THe firewall forwards the ports... that isnt the problem... the problem is... the string is sent as the iis machines internal ip. 10.x.x.x. So the client when initiating passive tries to do this... PASV 10,x,x,x,x,x What I would like to do is set a pasv port range in iis ftp and a pasv ip address to be sent to the client. Even programs like serv-u and g6-ftp support these settings but in iis they are nowhere to be found. I have found an ipnat rule that allows clients behind the firewall to support the PORT command... but I have not found a way to get the firewall to translate the packets for incoming pasv connections. Ive searched and searched and many people are saying that it cannot be done with nat because nat only deals with the packet headers not the actual data in the packets. And this is where the ip that needs to be changed is... however... There is application proxy's in ipnat that does this for ftp clients behind the firewall... So I figure there must be a way. But all in all... The best situation for me would be to be able to set this in iis like you can with just about all ftp server software. Im very suprised microsoft's ftp server doesnt support this. In fact im dumbfounded by it. In fact I was hoping somebody here would just tell Im dumb and there is a way to do it with iis. Share this post Link to post
clutch 1 Posted August 8, 2002 Quote: Quote: How about just not having the clients use PASV mode? It's what I do for the IIS FTP boxes that I run behind firewalls. Some client apps default to PASV first, then run normal while others (like IE) will run in the opposite. If you need a good client for connecting to IIS boxes I recommend SmartFTP (www.smartftp.com). It's fast, and free. You can disable PASV mode globally or simply bookmark the servers that you want to connect to and set the mode individually. The problem with this... if the client is on a firewall then they cant use port mode. Specifically some routers have this problem. THe linksys in my office will do ftp translation to modify the port string to allow port mode. HOwever not all firewalls do this... the problem with ftp... is the addresses are sent in the packets... like the ftp client will send a port command PORT 10,0,10,1,20,486 meaning connect on 10.0.10.1 which is the internal ip. Which the server cannot connect to. Good firewalls will translate this. But not all of them do. So hosting companies must allow pasv mode for clients behind a firewall. What are you using? I have setup a couple of Linksys routers, a Cisco PIX 520, ISA Server, and helped others with Netgears and these NAT systems seem to work just fine in this mode. I also believe that Checkpoint allows for this as well. I am interested in hearing why you can't get yours working. Share this post Link to post
zoooom 0 Posted August 10, 2002 Quote: Quote: Hello and thank you for reading. No problem, this kind of thing is fairly interesting! Quote: I have an iis ftp server running behind a freebsd firewall. When clients try to connect via pasv mode the ftp client is attempting to connect to the internal ip number 10.x.x.x Ive been scowering the web looking for solutions with no avail. Heh, yea... I can see that & it WOULD be a "small" problem (sarcasm). Quote: In freebsd the firewall uses ipnat. I could not find a way to get ipnat to do an ftp translation ( convert the internal ip to global ). Is there a way in iis to set the ip that is sent to the client to use in passive mode? I have NO idea... you'd be best served by someone who has used the latest/greatest IIS. I have not set it up & used it since, oh, 1997! Long time ago, much older model... Quote: In g6ftp there is such options to where you can set this ip and a port range. Or if you know ipnat any suggestions would be usefull. Thank you for your time. I don't use that sorry. I was speaking in general terms on forwarding the ports in its rules lists. Quote: There is application proxy's in ipnat that does this for ftp clients behind the firewall... So I figure there must be a way. I agree... whatever this app proxy is that changes the headers of the packets sent is what you want to mess with it sounds like! Quote: But all in all... The best situation for me would be to be able to set this in iis like you can with just about all ftp server software. Agreed 100%! Only problem is, I do not know where that is setup in IIS. Quote: Im very suprised microsoft's ftp server doesnt support this. In fact im dumbfounded by it. In fact I was hoping somebody here would just tell Im dumb and there is a way to do it with iis. There's gotta be a way because I am SURE you are not the first person to set it up in such a hardware & firewalled environs. (Sorry, I don't know where the "tweak" is for it though... you're best served by the hardcore-network tech/admin types here as I have not messed with IIS in ages, & was suggesting a basic principle to lookover is all...) APK P.S.=> However you work it out (I hope you do & good luck on that) do let us know your technique... cannot hurt to pickup a new trick, especially with IIS! I could use the knowledge... apk Heh... your right Im not the only person with this problem. A quick search on google groups will show you a couple of peeps with iis that have this problem.. with a unix ftp like wu-ftp.. the passive ip can be set with a port range. For obvious reasons. Thanks for the links! The netbios article described my prob to the tee.. and ms suggests to figure out how to do it with the nat. So I guess thats my goal right now. I gotta figure out how to do it with ipnat. Im new to ipnat. In fact i didnt setup the firewall I only knew why the ftp wasnt working so I started to dig in to find a solution. But it certainly has been fun. I never thought I would be configuring nat on a firewall. Its easier then I thought it would be. Just this problem seems to be alot bigger then I expected. We've had to install serv-u as a temporary solution for clients behind routers/firewall that require pasv. It has the neat little pasv ip and port range settings. I will defenitly let you guys know if I figure it out. Share this post Link to post
zoooom 0 Posted August 10, 2002 Quote: Quote: Quote: How about just not having the clients use PASV mode? It's what I do for the IIS FTP boxes that I run behind firewalls. Some client apps default to PASV first, then run normal while others (like IE) will run in the opposite. If you need a good client for connecting to IIS boxes I recommend SmartFTP (www.smartftp.com). It's fast, and free. You can disable PASV mode globally or simply bookmark the servers that you want to connect to and set the mode individually. The problem with this... if the client is on a firewall then they cant use port mode. Specifically some routers have this problem. THe linksys in my office will do ftp translation to modify the port string to allow port mode. HOwever not all firewalls do this... the problem with ftp... is the addresses are sent in the packets... like the ftp client will send a port command PORT 10,0,10,1,20,486 meaning connect on 10.0.10.1 which is the internal ip. Which the server cannot connect to. Good firewalls will translate this. But not all of them do. So hosting companies must allow pasv mode for clients behind a firewall. What are you using? I have setup a couple of Linksys routers, a Cisco PIX 520, ISA Server, and helped others with Netgears and these NAT systems seem to work just fine in this mode. I also believe that Checkpoint allows for this as well. I am interested in hearing why you can't get yours working. I cant get it to work... =]. iis ftp behind freebsd firewall = hard to setup without good knowledge of ipnat. I gotta study the ftp application proxy a bit more and tinker with ipnat to figure out exactly how it works. Im new to the syntax of it all. Its fairly straight forward I can do simple things like portmaps and bimaps. But there are a bunch of rules I need to learn to figure it out. I guess the first thing I should try is to figure out how to get a client to work behind the firewall using port mode. Its essentially the same thing.. Except in reverse. When the ftp client says PASV the ftp server returns the ip and port to connect to. With port the client just sends the ip and port off the bat. So basically its a bit easier to setup the clients.. because the packets are coming in... but with PASV the packets are coming out... back to the client. Its hard.. ( impossible? ). If you know please share. Again thanks for reading everybody. This is a great forum. I havent been here in awhile. Wheres SHS? He helped all us win2k users out with our voodoo 3 cards when 3dfx didnt support it. ok im off topic. Signing out. Share this post Link to post
zoooom 0 Posted August 10, 2002 Quote: Quote: Quote: How about just not having the clients use PASV mode? It's what I do for the IIS FTP boxes that I run behind firewalls. Some client apps default to PASV first, then run normal while others (like IE) will run in the opposite. If you need a good client for connecting to IIS boxes I recommend SmartFTP (www.smartftp.com). It's fast, and free. You can disable PASV mode globally or simply bookmark the servers that you want to connect to and set the mode individually. The problem with this... if the client is on a firewall then they cant use port mode. Specifically some routers have this problem. THe linksys in my office will do ftp translation to modify the port string to allow port mode. HOwever not all firewalls do this... the problem with ftp... is the addresses are sent in the packets... like the ftp client will send a port command PORT 10,0,10,1,20,486 meaning connect on 10.0.10.1 which is the internal ip. Which the server cannot connect to. Good firewalls will translate this. But not all of them do. So hosting companies must allow pasv mode for clients behind a firewall. What are you using? I have setup a couple of Linksys routers, a Cisco PIX 520, ISA Server, and helped others with Netgears and these NAT systems seem to work just fine in this mode. I also believe that Checkpoint allows for this as well. I am interested in hearing why you can't get yours working. I cant get it to work... =]. iis ftp behind freebsd firewall = hard to setup without good knowledge of ipnat. I gotta study the ftp application proxy a bit more and tinker with ipnat to figure out exactly how it works. Im new to the syntax of it all. Its fairly straight forward I can do simple things like portmaps and bimaps. But there are a bunch of rules I need to learn to figure it out. I guess the first thing I should try is to figure out how to get a client to work behind the firewall using port mode. Its essentially the same thing.. Except in reverse. When the ftp client says PASV the ftp server returns the ip and port to connect to. With port the client just sends the ip and port off the bat. So basically its a bit easier to setup the clients.. because the packets are coming in... but with PASV the packets are coming out... back to the client. Its hard.. ( impossible? ). If you know please share. Again thanks for reading everybody. This is a great forum. I havent been here in awhile. Wheres SHS? He helped all us win2k users out with our voodoo 3 cards when 3dfx didnt support it. ok im off topic. Signing out. Guess ipnat wont work. http://home.earthlink.net/~jaymzh666/ipf/IPFprob.html#14 And... iis ftp is not capable of being configured. Well problem solved I guess. Lol.. serv-u. Share this post Link to post
zoooom 0 Posted August 10, 2002 Quote: I hope MS fixes this in IIS... it is a pretty large shortcoming to be made aware of... I would have thought for sure they would have a fix for that, maybe with their own security firewalling stuff, who knows? Ms makes great software... however they seem to forget about certain features that make our lives easier. I have ran into a couple of these things when programming ms-sql server. I figure they think that a small hosting company should invest 5000 dollars on a cisco firewall to use their ftp server. Maybe its a conspiracy against free software Share this post Link to post
clutch 1 Posted August 11, 2002 Quote: Quote: I hope MS fixes this in IIS... it is a pretty large shortcoming to be made aware of... I would have thought for sure they would have a fix for that, maybe with their own security firewalling stuff, who knows? Ms makes great software... however they seem to forget about certain features that make our lives easier. I have ran into a couple of these things when programming ms-sql server. I figure they think that a small hosting company should invest 5000 dollars on a cisco firewall to use their ftp server. Maybe its a conspiracy against free software Well, it works with our $6500 (at the time) firewall along with my $100 Linksys NAT router. Oh, and it also worked with my Eicon DIVA ISDN router when I was using it before. So far, yours is the first situation that I have heard of where it flat did not work. Seems like it should though, but I haven't had occasion to work with FreeBSD. Share this post Link to post
zoooom 0 Posted August 11, 2002 Quote: Quote: Quote: I hope MS fixes this in IIS... it is a pretty large shortcoming to be made aware of... I would have thought for sure they would have a fix for that, maybe with their own security firewalling stuff, who knows? Ms makes great software... however they seem to forget about certain features that make our lives easier. I have ran into a couple of these things when programming ms-sql server. I figure they think that a small hosting company should invest 5000 dollars on a cisco firewall to use their ftp server. Maybe its a conspiracy against free software That, or I bet it works with their own security softwares! On your "conspiracy theory", heh... I am TOTALLY with alot of those, because I figure if a regular guy like me can conceive it, it's been done or in the making (as there is in my opinion, very little original thought left). They do make great software, no doubt about it, even when they license it or buy a company out to do it. They often extend it more (sometimes though watering it down from the FULL versions they license) or improve it later to the max. I dunno about them 'being in bed with Cisco' though... could be though, you never know! I think you are just making a point though... Cisco just being an example! Ever try a simple LinkSys NAT "firewalling" router with it? I am just curious because they're decent little buggers & have alot of capability... might be a CHEAP fix for you one day... * APK We got the freeBSD firewall all souped up with all these security programs ( which we hired someone to do ) like snort ( checks for exploits in ip packets ) and port monitoring. So I doubt we will be switching the firewall. I think we are going to find just go with some 3rd party ftp software. As for me Im going to continue to research this. The nice thing about open source is anything is possible. I heard those application proxy's for ipnat are kinda like plugins. So Im going to keep looking. Maybe Ill make my own! Im on a roll lol. Share this post Link to post
zoooom 0 Posted August 12, 2002 Quote: Quote: Quote: I hope MS fixes this in IIS... it is a pretty large shortcoming to be made aware of... I would have thought for sure they would have a fix for that, maybe with their own security firewalling stuff, who knows? Ms makes great software... however they seem to forget about certain features that make our lives easier. I have ran into a couple of these things when programming ms-sql server. I figure they think that a small hosting company should invest 5000 dollars on a cisco firewall to use their ftp server. Maybe its a conspiracy against free software Well, it works with our $6500 (at the time) firewall along with my $100 Linksys NAT router. Oh, and it also worked with my Eicon DIVA ISDN router when I was using it before. So far, yours is the first situation that I have heard of where it flat did not work. Seems like it should though, but I haven't had occasion to work with FreeBSD. Which linksys router? I have befsr somethin or other. It does the same exact thing. It tries to connect to the internal ip of the ftp server. A quick search on google will show people with the linksys having the same problem.. And of course the suggested solution is to use an ftp server that is capable of specifying the pasv ip and the pasv port range. silly microsoft..http://groups.google.com/groups?q=Linksy....com&rnum=3 Share this post Link to post
clutch 1 Posted August 12, 2002 Quote: Quote: Quote: I hope MS fixes this in IIS... it is a pretty large shortcoming to be made aware of... I would have thought for sure they would have a fix for that, maybe with their own security firewalling stuff, who knows? Ms makes great software... however they seem to forget about certain features that make our lives easier. I have ran into a couple of these things when programming ms-sql server. I figure they think that a small hosting company should invest 5000 dollars on a cisco firewall to use their ftp server. Maybe its a conspiracy against free software Well, it works with our $6500 (at the time) firewall along with my $100 Linksys NAT router. Oh, and it also worked with my Eicon DIVA ISDN router when I was using it before. So far, yours is the first situation that I have heard of where it flat did not work. Seems like it should though, but I haven't had occasion to work with FreeBSD. Which linksys router? I have befsr somethin or other. It does the same exact thing. It tries to connect to the internal ip of the ftp server. A quick search on google will show people with the linksys having the same problem.. And of course the suggested solution is to use an ftp server that is capable of specifying the pasv ip and the pasv port range. silly microsoft..http://groups.google.com/groups?q=Linksy...;rnum=3 Welp, I don't know what to tell you or them, since mine works perfectly fine doing what I mentioned earlier. I have the BFSR41, and I simple forward port 21 (TCP and UDP) to my hosting box. As a matter of fact, I uploaded the screencap you see here with it. In this screen cap, note the external IP resolution of my domain name, and the local IP of this workstation at the office of xxx.1.1.100: Share this post Link to post
zoooom 0 Posted August 13, 2002 PORT MODE. Try using pasv... Also... it looks to me as your client is behind a router that performs the ftp translation. In other words it allows you to use port mode even though your behind the firewall. Not all routers do this.. And this is the exact reason the ftp server must be capable of doing PASV. For the users behind a firewall that doesnt convert the lan ip's when using PORT. Share this post Link to post
clutch 1 Posted August 13, 2002 Quote: PORT MODE. Try using pasv... Also... it looks to me as your client is behind a router that performs the ftp translation. In other words it allows you to use port mode even though your behind the firewall. Not all routers do this.. And this is the exact reason the ftp server must be capable of doing PASV. For the users behind a firewall that doesnt convert the lan ip's when using PORT. I understand that, but I did post earlier to NOT use PASV mode. Hence, my comment about following my earlier instructions. I connected to my system at home from behind my Cisco PIX 520, and can do the reverse using IIS 5.0 on both ends and either IE 6/5.x or SmartFTP. Also, I notice that you seem to think that MS is "silly" with their implementation of FTP, and to some respects they are (no resume for upload, which sucks). However, upon looking at your link it seems that other FTP server apps have issues with this as well. FTP is effectively a broken protocol to begin with, and has been patched together over the years to keep up with today's demands. Hopefully it will be canned altogether, but not anytime soon... Share this post Link to post
zoooom 0 Posted August 13, 2002 Quote: Quote: PORT MODE. Try using pasv... Also... it looks to me as your client is behind a router that performs the ftp translation. In other words it allows you to use port mode even though your behind the firewall. Not all routers do this.. And this is the exact reason the ftp server must be capable of doing PASV. For the users behind a firewall that doesnt convert the lan ip's when using PORT. I understand that, but I did post earlier to NOT use PASV mode. Hence, my comment about following my earlier instructions. I connected to my system at home from behind my Cisco PIX 520, and can do the reverse using IIS 5.0 on both ends and either IE 6/5.x or SmartFTP. Also, I notice that you seem to think that MS is "silly" with their implementation of FTP, and to some respects they are (no resume for upload, which sucks). However, upon looking at your link it seems that other FTP server apps have issues with this as well. FTP is effectively a broken protocol to begin with, and has been patched together over the years to keep up with today's demands. Hopefully it will be canned altogether, but not anytime soon... My apologies... I re-read your post. This isnt an issue of just force clients to use port mode though. It simply isnt an option. I agree ftp is stupid. It was creating back in the peace love hippi days when firewalls werent an issue. My venting is do to a build up of spending days trying to figure out a solution to this problem with no avail. We got customers using serv-u on a non standard ftp port . I would like to use iis ftp because it uses nt authentication. And this.... really is a VERY easy thing to add to an ftp server. The ip and port are put in the data part of the packet. Knowing that ftp is such a stupid protocol.. why not make it easier on the firewall. I imagine having the nat part of the firewall to take care of it is more resource intensive and insecure. And even still... without being able to set a port range you have to pass through all packets to the server. Its very silly... In fact.. I still am going to look for a way in iis. It must be there. Share this post Link to post
clutch 1 Posted August 13, 2002 Here is a simplified but useful description of the PASV and PORT modes from MS with respect to IE: http://support.microsoft.com/default.aspx?scid=kb;[LN];Q309816 It illustrates which system initiates the port selection, and why some firewalls aren't setup to accept it. Some heavy duty firewalls (like Checkpoint and ISA) are "active", and follow the traffic for a given protocol and will open and close ports as needed. In our case, we are speaking of simple port forwarding for the Linksys (which has always worked for me using PORT mode), but I am not familiar with the other NAT/Firewall system he is using. Have you tried using PORT mode at all with your BSD system? Does your firewall allow outbound traffic on port 20? Share this post Link to post
zoooom 0 Posted August 13, 2002 Quote: Here is a simplified but useful description of the PASV and PORT modes from MS with respect to IE:http://support.microsoft.com/default.aspx?scid=kb;[LN];Q309816 It illustrates which system initiates the port selection, and why some firewalls aren't setup to accept it. Some heavy duty firewalls (like Checkpoint and ISA) are "active", and follow the traffic for a given protocol and will open and close ports as needed. In our case, we are speaking of simple port forwarding for the Linksys (which has always worked for me using PORT mode), but I am not familiar with the other NAT/Firewall system he is using. Have you tried using PORT mode at all with your BSD system? Does your firewall allow outbound traffic on port 20? port mode works fine. port 20 is rarely used by the data connection. What happens is the server/client opens up a high random port depending on if you use PASV/PORT respectively. This is why when using passive its nice to beable to set a passive port range in the ftp server. If your interested in how it works in BSD... there is something called ipf. it stands for IPFILTER. in IPFILTER there is something called ipnat. In ipnat you can create your own nat rules. ( pretty cool stuff ). you just place them in a text file. Nat... doesnt really take care of data inside the packets... But it has made an exception for ftp. For this very reason. Share this post Link to post
Defunkt 0 Posted August 28, 2005 well, i have been working on this IIS setup for some time. even in IIS 6.0 they dont have a way to do this. maybe their trying to limit general ftp to home users, but that wouldnt explain why they have forgot to include it in their servers. ive been workin on this for a month or so doing reasearch, and reading forums. nobody seems to have resolved this problem. but i have found a 3rd party program that has all the flexibility of IIS. BulletproofFTP. its a nice little program you cna run in the backround of your server that does everything from multiple users to group policy to restrictions, may i go on. and this program allos you to do passive commands and port limitations right on teh setting pages. and even better, that IP adders problem we are all having, RESOLVED! this program does it for you. you jcan either enter you outside router ip and it send it there, OR you can enter your dyndns name and password and it will aoutupdate for you!. lots of little toys that are very easy to use. as much as i would like to use IIS, this program does what i need and i dont ever have to troubleshoot it!. Share this post Link to post
