CIS blocks access TotalCommander

antel2000 · March 11, 2010, 5:11pm

4 version CIS blocks access TotalCommander on ftp. No messages are present, process hangs. In 3 versions all was normal.

rhgtyink · March 11, 2010, 6:08pm

If you are using Active FTP the data channel is now blocked by the Default Firewall rules of CIS v4.

Please configure your FTP client to use Passive/PASV instead of Active FTP.

Please read this for more details on Active v.s. Passive FTP here

It basically comes down to:
Active FTP Uses incoming traffic setup from the FTP Server TO you
Passive FTP will only need “outgoing” traffic only.

antel2000 · March 11, 2010, 7:28pm

Thanks, work.
Whether there is a necessity to use Active FTP and how to set up Comodo-4 Active FTP for TC?

rhgtyink · March 11, 2010, 7:34pm

If you need Active FTP you have two choices.

Run stealth ports wizard and chose “Alert for incoming connections”.
This will reset your current Global rules of the firewall and allow Incoming traffic like on v3.x was the default
Create an incoming rule that allows Active FTP from One or more FTP Servers.
Go to Firewall → Advanced → Network Security Policy, switch to Global Rules tab and add the following.

Allow
TCP
IN
Source IP = IP of the FTP Server
Source Port = 20
Destination = Any
Destination port = Range 1023 - 65535

If you have more FTP servers that need active you can also create a group of server ip’s called a “Zone” you can then use this Zone on the Source IP Field of this rule.

Now you need to switch back to your Application rules tab and verify that your FTP program is set to Trusted Application.

Apply the new policy and it should work.

antel2000 · March 11, 2010, 9:12pm

Has made as you have told. The result is not present.
Probably error in “Source IP = IP of the FTP Server”. How to define?
Tasted “loopback zone” and “local area network” zone, “Any”. Does not work.
TC is Trusted Application.

rhgtyink · March 11, 2010, 9:34pm

Sorry i forgot to mention this rule needs to be Above the Block IP Any Any rule.
Can you please verify that?

Also try to set Source = Any in this case, if it works you can always start to get to rule to be more restrictive…

antel2000 · March 11, 2010, 11:04pm

Does not work.

rhgtyink · March 12, 2010, 2:04pm

I tried both setups, both work.

Best thing to do is set Total Commander to use Passive FTP.

Global:

Or per connection:

If that doesn’t work then you can stay on Active FTP but make sure your global rule is configured like this image here.
So same setup + location rule on top position number 1

Beware that this setup is less secure then the Passive version because this one allows incoming traffic to your system.

[attachment deleted by admin]

Arkangyal · March 14, 2010, 3:02am

Hi, had the very same problem (my post):

Run Stealth Port Wizard;
Choose 2nd option;
TC works as it should.