IIS 5 & IIS 6
FTP bind to one IP address
Last post Apr 23, 2009 10:38 PM by wraptur
Jan 06, 2009 12:51 PM|imprezacs|LINK
I have a server with 5 IP addresses and have FTP binding to one of them. This all works fine except when a user connects using passive FTP. The server sends a passive connection from the server's default IP address rather than the FTP address, so it doesn't
get through the client firewall.
How can I change the default address used for passive connections?
Jan 06, 2009 01:09 PM|JaroDunajsky|LINK
Are you saying that the IP address returned in response to PASV command is different from the IP address of control connection? What is the IIS version you are using?
Jan 07, 2009 03:35 AM|imprezacs|LINK
We are using IIS 6 on Windows 2003 Server. This is a transcript of an FTP session which shows the session connects to the 213 address OK, but as soon as I switch to passive mode, the 94 address opens the session. This doesn't get back to a client behind
Connected to 213.***.***.220.
220-Microsoft FTP Service
User (213.***.***.220:(none)): XXX
331 Password required for XXX.
230 User XXX logged in.
ftp> literal pasv
227 Entering Passive Mode (94,**,***,78,19,169).
Any help would be appreciated.
Jan 08, 2009 02:07 AM|JaroDunajsky|LINK
What is the actual Server IP address logged in FTP log file for control connection? It is not logged by default, but you could enable it in UI. Does it show up as 213.*
So your site is only setup with :213.X.X.X:21 binding?
I don't have IIS6 server with multiple IP addresses handy to test but I quickly scanned the code and it is using the control channel local address to setup the listener.
Jan 08, 2009 03:34 AM|imprezacs|LINK
Here is a segment from the log file after enabling server ip logging:
#Fields: time c-ip s-ip cs-method cs-uri-stem sc-status sc-win32-status
08:28:46 22.214.171.124 213.*.*.220 USER XXX 331 0
08:28:48 126.96.36.199 213.*.*.220 PASS - 230 0
08:28:52 188.8.131.52 213.*.*.220 QUIT - 226 0
entered passive mode here...
08:32:01 184.108.40.206 213.*.*.220 sent /ftproot.txt 226 0
As you can see it shows the 213 address. However, when I move to passive mode it actually uses the 94 address, even though the log shows that the file was sent from the 213 address.
It is driving me crazy.
Jan 09, 2009 01:57 AM|JaroDunajsky|LINK
The entry reporting that file was sent references control channel. That's why the address is 213.*.*.220.
And if you run
from command line, you should see the listening endpoint. Does that also show that FTP is listening on 94.*.*.* for the PASV connection?
Jan 09, 2009 03:35 AM|imprezacs|LINK
No, netstat just shows the 213 address as listening on port 21.
I'm obviously not the only one who is baffled then!
Jan 09, 2009 03:44 AM|JaroDunajsky|LINK
I didn't make myself clear. I wanted to know the following
After you send PASV command from ftp.exe (literal PASV) then server will setup 1 listening port to accept data connection for the upcoming transfer. If you take the 5th parameter from the PASV response , multiply it by 256 and add
6th parameter, then you should get the listening port value on which the FTP server should be listening for some time to accept the passive data connection. I wanted to know what local IP would be used for that listening endpoint.
Jan 09, 2009 04:35 AM|imprezacs|LINK
This is getting more bizarre. I see what you are asking so have done some tests.
When I make the initial FTP connection the netstat looks like this
TCP 127.0.0.1:1034 217.*.103.170:39515 ESTABLISHED
TCP 213.*.*.220:21 217.*.103.170:11604 ESTABLISHED
Now I actually do something on the connection (in active mode) and get this
TCP 127.0.0.1:1034 217.*.103.170:39515 ESTABLISHED
TCP 213.*.*.220:20 217.*.103.170:39530 TIME_WAIT
TCP 213.*.*.220:20 217.*.103.170:39535 TIME_WAIT
TCP 213.*.*5.220:21 217.*.103.170:11604 ESTABLISHED
As expected port 20 is opened.
When I then use the literal pasv command I see nothing else at all. There certainly is no listener on the port I get from the pasv command (it should have been 5033), and the list above still stands. We may be getting somewhere here, as the pasv command
does not appear to be changing to passive mode at all. From the command line FTP I can still transfer files, but maybe it isn't using passive mode to do so, whereas IE is trying to but the server isn't listening.
I tried this on another server and the listener starts up on its IP address using the port as expected. I'm very confused but feel something is not right on this server.
Jan 09, 2009 04:52 AM|imprezacs|LINK
I have now found the reason, but still need a solution!!
The server has Windows Firewall enabled, but with the FTP Server allowed access using the Advanced Firewall Settings and allowing FTP server through. When I turn off the firewall, the FTP server behaves normally. I have tried changing the IP address of the
listening server as defined in the firewall settings, and it makes no difference. It seems that the only way for it to work correctly is without the Windows Firewall enabled, which seems absurd.
Has anyone any idea how to make the firewall behave correctly?
Jan 09, 2009 12:51 PM|JaroDunajsky|LINK
Regarding the netstat command. You have to use "-a" switch to see the listeners.
StatefulFtp with WIndows Firewall would allow you to automatically open ports needed for the passive connections. So they would do packet inspection. But I don't think that Windows Firewall is doing rewriting of the IP addresses from private to public.
First of all lets see what "netstat -a" command reports after the "literal PASV" sent from client. That should move us one step forward
Jan 10, 2009 06:02 AM|imprezacs|LINK
I did netstat -an (so it didn't resolve addresses) and there was no listener on the specified port, until I turned off the firewall. That is the problem as I now see it. With the firewall on the listener fails to start.
Apr 23, 2009 10:38 PM|wraptur|LINK
I just posted in another area of this forum (http://forums.iis.net/p/1157128/1901692.aspx#1901692)
but I think this is the right place to post judging by I have a similar problem.
I have verified it is using the right ports and that the firewall is allowing those ports, internally passive mode works but externally login works but as soon as I do a dir/ls and it tries to go to passive mode the conneciton dies. It looks like iis 6 is
sending the internal ip which would of course not route externally. I have tried adding the external IP to the nic as a secondary ip and setting iis 6 settings for the ftp site to the external ip hoping it would pass that in the return command but no dice.
Is there not a place to enter this reply to IP, or masquerade ip, like iis 7 firewall external ip support?