Publishing

FTP passive mode doesn't work externally because passing internal IP

wraptur — Fri, 24 Apr 2009 02:38:16 GMT

I just posted in another area of this forum (http://forums.iis.net/p/1157128/1901692.aspx#1901692)

but I think this is the right place to post judging by I have a similar problem.

I have verified it is using the right ports and that the firewall is allowing those ports, internally passive mode works but externally login works but as soon as I do a dir/ls and it tries to go to passive mode the conneciton dies. It looks like iis 6 is sending the internal ip which would of course not route externally. I have tried adding the external IP to the nic as a secondary ip and setting iis 6 settings for the ftp site to the external ip hoping it would pass that in the return command but no dice. Is there not a place to enter this reply to IP, or masquerade ip, like iis 7 firewall external ip support?

Re: FTP bind to one IP address

imprezacs — Sat, 10 Jan 2009 11:02:51 GMT

I did netstat -an (so it didn't resolve addresses) and there was no listener on the specified port, until I turned off the firewall. That is the problem as I now see it. With the firewall on the listener fails to start.

Re: FTP bind to one IP address

JaroDunajsky — Fri, 09 Jan 2009 17:51:17 GMT

Regarding the netstat command. You have to use "-a" switch to see the listeners.

StatefulFtp with WIndows Firewall would allow you to automatically open ports needed for the passive connections. So they would do packet inspection. But I don't think that Windows Firewall is doing rewriting of the IP addresses from private to public.

First of all lets see what "netstat -a" command reports after the "literal PASV" sent from client. That should move us one step forward

Re: FTP bind to one IP address

imprezacs — Fri, 09 Jan 2009 09:52:19 GMT

I have now found the reason, but still need a solution!!

The server has Windows Firewall enabled, but with the FTP Server allowed access using the Advanced Firewall Settings and allowing FTP server through. When I turn off the firewall, the FTP server behaves normally. I have tried changing the IP address of the listening server as defined in the firewall settings, and it makes no difference. It seems that the only way for it to work correctly is without the Windows Firewall enabled, which seems absurd.

Has anyone any idea how to make the firewall behave correctly?

Re: FTP bind to one IP address

imprezacs — Fri, 09 Jan 2009 09:35:38 GMT

This is getting more bizarre. I see what you are asking so have done some tests.

When I make the initial FTP connection the netstat looks like this

TCP 127.0.0.1:1034 217.*.103.170:39515 ESTABLISHED
TCP 213.*.*.220:21 217.*.103.170:11604 ESTABLISHED

Now I actually do something on the connection (in active mode) and get this

TCP    127.0.0.1:1034         217.*.103.170:39515   ESTABLISHED
TCP    213.*.*.220:20     217.*.103.170:39530   TIME_WAIT
TCP    213.*.*.220:20     217.*.103.170:39535   TIME_WAIT
TCP    213.*.*5.220:21     217.*.103.170:11604   ESTABLISHED

As expected port 20 is opened.

When I then use the literal pasv command I see nothing else at all. There certainly is no listener on the port I get from the pasv command (it should have been 5033), and the list above still stands. We may be getting somewhere here, as the pasv command does not appear to be changing to passive mode at all. From the command line FTP I can still transfer files, but maybe it isn't using passive mode to do so, whereas IE is trying to but the server isn't listening.

I tried this on another server and the listener starts up on its IP address using the port as expected. I'm very confused but feel something is not right on this server.

Re: FTP bind to one IP address

JaroDunajsky — Fri, 09 Jan 2009 08:44:20 GMT

I didn't make myself clear. I wanted to know the following
After you send PASV command from ftp.exe (literal PASV) then server will setup 1 listening port to accept data connection for the upcoming transfer. If you take the 5th parameter from the PASV response , multiply it by 256 and add 6th parameter, then you should get the listening port value on which the FTP server should be listening for some time to accept the passive data connection. I wanted to know what local IP would be used for that listening endpoint.

Re: FTP bind to one IP address

imprezacs — Fri, 09 Jan 2009 08:35:29 GMT

No, netstat just shows the 213 address as listening on port 21.

I'm obviously not the only one who is baffled then!

Re: FTP bind to one IP address

JaroDunajsky — Fri, 09 Jan 2009 06:57:30 GMT

The entry reporting that file was sent references control channel. That's why the address is 213.*.*.220.

And if you run
netstat -a

from command line, you should see the listening endpoint. Does that also show that FTP is listening on 94.*.*.* for the PASV connection?

Re: FTP bind to one IP address

imprezacs — Thu, 08 Jan 2009 08:34:07 GMT

Here is a segment from the log file after enabling server ip logging:

#Fields: time c-ip s-ip cs-method cs-uri-stem sc-status sc-win32-status
08:28:46 82.34.95.232 213.*.*.220 [421]USER XXX 331 0
08:28:48 82.34.95.232 213.*.*.220 [421]PASS - 230 0
08:28:52 82.34.95.232 213.*.*.220 [421]QUIT - 226 0

entered passive mode here...

08:32:01 81.149.154.29 213.*.*.220 [423]sent /ftproot.txt 226 0

As you can see it shows the 213 address. However, when I move to passive mode it actually uses the 94 address, even though the log shows that the file was sent from the 213 address.

It is driving me crazy.

Re: FTP bind to one IP address

JaroDunajsky — Thu, 08 Jan 2009 07:07:07 GMT

What is the actual Server IP address logged in FTP log file for control connection? It is not logged by default, but you could enable it in UI. Does it show up as 213.*
So your site is only setup with :213.X.X.X:21 binding?

I don't have IIS6 server with multiple IP addresses handy to test but I quickly scanned the code and it is using the control channel local address to setup the listener.

Re: FTP bind to one IP address

imprezacs — Wed, 07 Jan 2009 08:35:22 GMT

We are using IIS 6 on Windows 2003 Server. This is a transcript of an FTP session which shows the session connects to the 213 address OK, but as soon as I switch to passive mode, the 94 address opens the session. This doesn't get back to a client behind a firewall.

C:\>ftp 213.***.***.220
Connected to 213.***.***.220.
220-Microsoft FTP Service
User (213.***.***.220:(none)): XXX
331 Password required for XXX.
Password:
230 User XXX logged in.
ftp> literal pasv
227 Entering Passive Mode (94,**,***,78,19,169).
ftp> quit

Any help would be appreciated.

Re: FTP bind to one IP address

JaroDunajsky — Tue, 06 Jan 2009 18:09:07 GMT

Are you saying that the IP address returned in response to PASV command is different from the IP address of control connection? What is the IIS version you are using?

FTP bind to one IP address

imprezacs — Tue, 06 Jan 2009 17:51:57 GMT

I have a server with 5 IP addresses and have FTP binding to one of them. This all works fine except when a user connects using passive FTP. The server sends a passive connection from the server's default IP address rather than the FTP address, so it doesn't get through the client firewall.

How can I change the default address used for passive connections?

thanks

Stewart