Re: IIS 5.1 Passive-Mode FTP Behind Linksys Router

From: Jeff Cochran (jcochran.nospam_at_naplesgov.com)
Date: 04/25/04

  • Next message: Dave Karmens: "Re: SFTP" 
    Date: Sun, 25 Apr 2004 16:46:47 GMT

    On Sat, 24 Apr 2004 22:33:08 GMT, alun@texis.invalid (Alun Jones [MS
    MVP]) wrote:

    >In article <408c8e55.188207678@msnews.microsoft.com>,
    >jcochran.nospam@naplesgov.com (Jeff Cochran) wrote:
    >>On Fri, 23 Apr 2004 15:01:03 -0700, "Steve A"
    >><anonymous@discussions.microsoft.com> wrote:
    >>
    >>>I am trying to support Passive-Mode FTP Behind a Linksys Router with no luck.
    >> I want to give access to a few people who are behind a NAT firewall on their
    >> client end. Do I need to set any settings in the ftp service itself, and
    >> exactly what ports do I need to open on the linksys router which the server is
    >> behind? Do the Clients have to do anything besides set their internet browser
    >> for Passive-Mode FTP?
    >>
    >>Passive mode should just require ports 20 and 21 open on the Linksys.
    >
    >Nononononono.
    >
    >Once again, when you're opening firewall ports, particularly on
    >Linksys-quality firewalls / routers, you are opening for inbound
    >connections. Port 20 is never used as a destination for inbound
    >connections, only as a source for outbound data connections in active mode
    >(i.e. non-passive). Firewalls like the Linksys are generally open for all
    >outbound connections.
    >
    >Supporting PASV mode on IIS 5.x requires that you open up a range of ports
    >for incoming connections from the client to the server.
    >http://support.microsoft.com/?id=810639 will tell you how to define that
    >range for IIS.

    Perhaps I shouldn't have simplified. :)

    On the Linksys, at least the one's I've used, you do need to *forward*
    20 and 21 to your internal address, which isn't the same thing as
    open. And the link I posted specifies the settings. You also need to
    forward the matching port range from the above IIS settings.

    As an aside, is there any exploit that uses FTP control or data ports?
    That would be effective without an FTP service running?

    Jeff

  • Next message: Dave Karmens: "Re: SFTP"

    Relevant Pages

    • Re: Port 135
      ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ...
      (microsoft.public.security)
    • Re: IIS 5.1 Passive-Mode FTP Behind Linksys Router
      ... Once again, when you're opening firewall ports, particularly on ... connections, only as a source for outbound data connections in active mode ... for incoming connections from the client to the server. ...
      (microsoft.public.inetserver.iis.ftp)
    • Re: Got Active Ports, now what?
      ... have services running and ports open does not in ANY way shape or form mean ... vulnerabilities and links to plenty of other ... Why do I need 23 connections to the ... > You should get a 'Application' Filtering Firewall for your XP box. ...
      (comp.security.firewalls)
    • Re: Exchange ports through firewall?
      ... I take there are too many ports to open if we use the full client method? ... in this case if you want to provide clients RPC/MAPI access across a firewall, you can restrict clients and server to a narrower range of ports, or alternatively open a lot more ports on the firewall. ...
      (microsoft.public.exchange.admin)
    • Re: Client End Firewalls
      ... depending on the firewall's configuration). ... Even if a client side firewall was to block just one ... Using a firewall with password protection is a must. ... >> connections. ...
      (Security-Basics)