CFP and PASV FTP fix

I came to these forums looking for the answer to my problem only to find that my problem had not been answered, though it had been brought up several times. Apparently it has been an issue for a while that people have not been able to run their FTP servers in passive mode from behind CFP. I come to you with an answer!

  1. Proceed to the Security are of CFP.
  2. Select the Application Monitor.
  3. Go to your FTP server application in the list.
  4. Right click and select Edit…
  5. Set these criteria:
    Destination Ip:Any
    Destination Port:Any
    Miscellaneous: Skip advanced security checks

This should allow you to access your passive FTP server that is behind CFP.

Nearly but not quite. This would only work if you also had a Network Monitor rule allowing inbound access to port 21 and to all ports above 1056. The inbound rule on port 21 is required as initial contact between the two parties is made on the FTP control port. In the case of a PASV connection, the host sends a response back to the client requesting what port the data should be sent back on and what port it should be sent from.

Making an Application Monitor rule is only half the trick. Applicaton Monitor rules specify how an app would like to gain access (or in this case, receive requests), but it can only gain access (or recevie requests) if there is a Network Monitor rule that allows traffic to or from that port.

Ewen :slight_smile:

Just to drop in my 2 centi-quatloos.

If your FTP server is behind the typical home NAT router, there are then 3 things that need to have identical settings: the router, CFP, and the FTP server. Get one of them wrong, and it won’t work.

On the FTP server software: Passive mode FTP uses TCP port 21 for incoming request commands. Data transfer occurs over a set of high address ports (for example, TCP ports 5910 to 5919, you pick the ports), or sometimes will fall back to TCP port 20. That depends on your software.

CFP: Has to have rules in place that allow inbound traffic on all those specified ports, to reach your server software.

On the router: You either enable port fowarding on all those specified ports, or you make the PC that is running the FTP server a “DMZ Host”. Either way, you will need to assign the PC a fixed address, so that packets coming in from the Internet can be routed to your PC.

And you probably want some ICMP and UDP/DNS traffic also, but that is the normal variety of stuff that’s not particular to running an FTP server. If you decide to run as a DMZ host, then you have additional security issues to worry about, as you’re running a machine that is facing the Internet directly and also has direct access to your LAN and so to any other PC’s that you have.

perhaps, i should have clarified. This wasn’t a full FTP / CFP tutorial. I noticed on the forums that people wanted to set up their FTP servers using passive FTP and Comodo was blocking it. They were generally people who already understood all the port forwarding and had taken care of it like I had and were still having problems. This is the reason for those problems. The “advanced security checsks” make passive FTP from the server running CFP impossible. Those checks block the outbound passive ports without giving any indication that they are doing so. I had assumed that if you knew what the topic subject meant then you would already know how to set up everything else.

I believe the real problem behind running an FTP server in PASV mode on a PC behind CFP is because the client sets the port that will be used by the server to receive the incoming FTP request. This is how PASV FTP connections have been designed to ease FTP from behind a firewall. As the client can set any port above 1056, CFP may or may not have a Network Monitor rule that allows inbound traffic on the port that the client has specified.

Ewen :slight_smile:


hihihi, i might set 1 on top:

pasv was developed for proxy isps not allow direct ftp connections.

so ya might not use pasv?

plse discuss that


As I read that, it sounds like a description of normal FTP mode, kind of. But a remote client can’t tell a server which server port to allocate, that risks re-use collisions and potential security problems.

I went and refreshed my memory on FTP protocol at File Transfer Protocol - Wikipedia

and tripped over this problem of servers behind NAT routers. The underlying FTP PORT command, sent in response to a PASV connection, has the server IP address embedded. If the server is behind a NAT router, then the server has a private IP address. Which the remote client can’t connect to, as it very likely appears to be on the remote client LAN (I’m assuming 192.168.x.y addressing).

Two possible solutions for that:

  1. is to use “extended passive FTP (EPSV)” which returns only the port assignment. This assumes both server and remote client have EPSV support.

  2. is the the server can somehow determine it’s real Internet address while being behind a NAT router, and then use that real address in the PORT command. That may, or not, be possible, depending on the FTP server software. It’d probably require something like a hostname that gets looked up every time a remote client does a passive connection. A manual setting would work, but it’d change with each DHCP connection.

And not a whole lot of this has to do with a firewall either… But here is where folks come to ask where the problem is…

If someone here wants to write a full tutorial on CFP and FTP servers then go right ahead. Just be aware of this issue when you do. I don’t write tutorials and I don’t generally post fixes because I always have to deal with smarty mcsmartypants replies. I probably shouldn’t have posted this and just left everyone who didn’t know in the dark.

Regardless, I didn’t set up this thread to discuss the problems that come with running a PASV FTP server behind CFP. I started it to give people a solution. Thanks for hijacking my thread though. And then taking it off topic. It is appreciated.

The simple fact of the matter is that that checkbox blocks passive FTP. I attempted to connect to the server when it was unchecked and got undesirable results. I attempted to connect to the server when it was checked and got desirable results. I repeated those steps. Thus the issue WAS CFP blocking the PASV connection and the fix presented DID take care of the problem.

If that solution works, then, fine.

Ewen :slight_smile:

Given the number of folks who have tried with varying degrees of success to get FTP PASV mode working in a NAT environment, if there was a single point solution, it would have become the standard answer. Since the question keeps reappearing, then there is something else going on, beyond an “firewall to allow all ports”. The topic seemed to be a place to accumulate the various problems and workarounds, very few of which turn out to be firewall related. Even without a firewall, getting FTP PASV in NAT to work is not a guaranteed proposition. It’s not clear that having the FTP server be an ‘ICS host’ would work.

The only thing that is known to work, with all servers and all remote clients, is to have the FTP server directly on the Internet with a static address. No NAT. Otherwise, there is some combination of server and remote client that is going to fail. Then we get to talk about firewalls. But the firewall is the first thing suspected of being the problem.

You just can’t seem to get through to some people. Having fun grue? You definitely like to talk, that’s for sure. I just want to reiterate for you that I don’t care at all how complicated it is to set up an FTP server in a NAT. What I care about is that I was trying to help people by telling them how to have CFP allow it. I don’t care what FTP server your using, what routers/switches/hubs you’re using, what your ISP blocks, or how you cry yourself to sleep at night because people don’t listen to you. This checkbox stops PASV FTP from woking while CFP is running. That is the main point of this thread. So I will reiterate so people don’t get confused by this big long thread in which most of what is stated has nothing to do with the thread title.

As for the rest of setup:
Check out this awsome tutorial by m0ng0d.

Thanks. Problem solved.