command prompt ftp problem

Hi everyone, I’m just new here :wink:
I’ve now been using Comodo Internet Security for sometime and I like it very much. But now I’ve run into a problem with the firewall and I can’t figure out how to solve it.
The problem is that when I try to upload files through command prompt ftp it doesn’t work. I can connect with the server, but I just can’t upload a file. When I turn the firewall off it works just fine, so I figured it has to be something in the firewall then.
Other ftp clients work fine (I tested with Filezilla and windows explorer ftp), but command prompt ftp doesn’t work. The reason why I want to use command prompt ftp is because I want to automate the uploads of some files, which is very easy with batch files (I hoped and thought).
So can anyone please help me with this problem? I’ve been looking at firewall events, but I don’t see anything recent happenings.

Edit: I’ve also searched on the forum and help files, but I can’t find anything that seems similar to this.

Please check out this post, i think it could fix your problem:;msg312228#msg312228

Well I tried the passive mode, but it still doesn’t work. I also can’t remember running the stealth ports wizard… Anyway thanks for the try, do you have any other idea’s Ronny? Or anyone else?

Is it always the same server IP you need to upload to?

You can check the firewall policy for ftp.exe and set a rule that allows all traffic in/out from and to that server.

Source ANY
Source port ANY
Destination port ANY

Source port ANY
Destination ANY
Destination port ANY

See if that works.

Well I tried it with the rules set to any IP and it doesn’t work. I’m not sure if I did it right though. I went into the advanced firewall settings and under network security policy I added the rules you told me to (under ftp.exe of course).
Hopefully you have more ideas Ronny, thanks for you efforts so far :wink:

Can you post a screen shot of your global rules?
And one of the rule for ftp.exe?

Hope these are the ones you want and give you enough information :wink:

[attachment deleted by admin]

This should work, Can you post a screen shot of the FTP Session going bad ?

a shot of the command box? are you trying manual or using the script? if using the script can you try manual? so see if there is something in the script that’s breaking things?

I doubt it’s the script as it works fine with the firewall off. Anyway, this is it, if you spot any errors I’d be happy to know :wink:

I have a .bat file with the following line:

ftp -s:ftp_settings.scr

the .scr file only has my login name and password for now. I tried it with commands in, but because that didn’t work I took those out for testing purposes. So all it does atm is log me in on the server and then allow me to type any commands.

In the screenshot I typed the “put test.txt” manually, the file is there and I have the rights to save it there at the server. I also tried it in passive mode by typing “literal pasv” before trying to upload anything. The error was the same.

The first image is with the firewall on and the error it causes. The second picture is with the firewall off, as you can see the script should be fine.

On a side note, I have my firewall in training mode, I don’t know if that could cause any problems?

[attachment deleted by admin]

Can you check the firewall’s “attack detection” settings and post which are enabled?

And can you try with Firewall mode set to Safe-Mode?

The attack detection settings are:

All Flood settings are set to 20.
The suspicious host scan is set to 5 Minutes.
Firewall emergency mode after DOS attack: 120 Seconds

ARP Cache off and the setting below that is greyed out because of that.

On the miscellaneous tab only Block fragmented IP datagrams is turned on, all the others are off.

I’ll now run a test in Safe-mode and see what that does :wink:

Edit: Nope, sorry, no luck with safe mode either. Same error again in both active and passive mode. Thanks again for all your efforts Ronny :wink:

Well last thing i can think of is to untick “fragemented IP datagrams” and see if that helps.
If that doesn’t work we need a packet capture to see what’s going on on the “wire”…

I turned the fragmented IP datagrams off, but it still doesn’t work :frowning: Can you tell me how to do a packet capture (or a link where it is explained)?

You can download wireshark here:

Close as many programs as you can to prevent pollution of you capture.
See if you can start a capture, run the script and after it fails, stop the capture…

What about adding a rule similar to the above one but for IP into global rules just so that is taken out of the equation?

Source ANY
Source port ANY
Destination port ANY

Source port ANY
Destination ANY
Destination port ANY

Make sure there positioned at the top of the Global Ruleset.

That also didn’t work Matty_R :frowning:
[at] Ronny, I did the capture, do you want me to post it here as there seems to be some private data in it as well. The password of my ftp account for example and a lot of IP addresses.
Is there anything I should look for in the captures that might indicate what’s wrong? I did a capture with the firewall on and with the firewall off for comparison. At first glance I can only see it tries to connect and after that fails it tries it again. It does that a few times. But that’s only what I see at first glance.

Edit: I found something called “follow TCP stream”, it shows exactly what the cmd prompt window shows (the “welcome to this server” thing and so on). I don’t see any extra information on errors, but I also don’t know if I’m looking in the right place…

If you still have the error from the command-box “could not connect to socket xxxxx” you have to filter on that number to see what’s going on with that session.

in the filterbox type:


And press apply that should filter all traffic from and to this port…
you’ll probably only see 3 time’s a SYN request from your IP to the FTP server

hhmmmm… ??? when I enter what you said it doesn’t show anything. Not in the session without firewall and not in the session with firewall. I found the port number using the “follow tcp stream” as that shows exactly what the cmd window showed before… Also looking at the IP’s I now realize that the reconnection stuff was from another service and didn’t connect to the same IP as the server’s, I actually think it was no reconnection event, but just something that happened 3 times during the time I ran the test.

This is what the “folllow tcp stream” displays:

220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 14 of 50 allowed.
220-Local time is now 11:23. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 3 minutes of inactivity.
USER jvport
331 User jvport OK. Password required
PASS <removed for privacy>
230-User jvport has group access to:  jvport    
230 OK. Current restricted directory is /
PORT 192,168,1,160,19,137
200 PORT command successful
STOR test.txt
425 Could not open data connection to port 33452: Connection timed out
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.

Edit: After some fiddling with filters I filter all events on the servers IP, that gave me some interesting new stuff and also the SYN requests you’re talking about :wink: This is what it says right after the 200 PORT command successful with firewall:

ftp > glishd [ACK] Seq=472 Ack=73 Win=5840 Len=0
ftp-data > commplex-link [SYN] Seq=0 Win=5840 Len=0 MSS=1460
ftp-data > commplex-link [SYN] Seq=0 Win=5840 Len=0 MSS=1460
ftp-data > commplex-link [SYN] Seq=0 Win=5840 Len=0 MSS=1460
ftp-data > commplex-link [SYN] Seq=0 Win=5840 Len=0 MSS=1460

and then it says that the connection to port xxxxx has timed out. So it tried to reconnect 4 times but gets no response it seems to me, or at least not the desired response.

Without firewall it looks like this after the 200 PORT command succesful:

ftp-data > rfe [SYN] Seq=0 Win=5840 Len=0 MSS=1460
ftp > nmsigport [ACK] Seq=471 Ack=73 Win=5840 Len=0
Response: 150 Connecting to port 33440
ftp-data > rfe [ACK] Seq=1 Ack=1 Win=5840 Len=0
ftp-data > rfe [ACK] Seq=1 Ack=27 Win=5840 Len=0
Response: 226-File successfully transferred
ftp-data > rfe [FIN, ACK] Seq=1 Ack=28 Win=5840 Len=0
ftp > nmsigport [ACK] Seq=596 Ack=79 Win=5840 Len=0
Response: 221-Goodbye. You uploaded 1 and downloaded 0 kbytes.
ftp > nmsigport [FIN, ACK] Seq=663 Ack=79 Win=5840 Len=0

I hope all this makes some sense to you, because to me it really doesn’t xD But it seems the ftp doesn’t connect in the right way with the firewall on. As everything after PORT 200 is different, while I would expect the first things to look the same and then a error somewhere.

Edit2: put the stuff in code tags, hopefully that makes it a bit easier to read.

ftp > glishd [ACK] Seq=472 Ack=73 Win=5840 Len=0
ftp-data > commplex-link [SYN] Seq=0 Win=5840 Len=0 MSS=1460
ftp-data > commplex-link [SYN] Seq=0 Win=5840 Len=0 MSS=1460
ftp-data > commplex-link [SYN] Seq=0 Win=5840 Len=0 MSS=1460
ftp-data > commplex-link [SYN] Seq=0 Win=5840 Len=0 MSS=1460

based on this i the server is on the first row (ftp, ftp-data) and this is Active FTP because the server is trying to connect to you… ftp-data → tcp 5001 (commplex-link) SYN.

But there seems to be a firewall rule in between that’s dropping this traffic.

  1. Can you capture this with LITERAL PASV before the put command to see if behavior changes?
  2. Can you check your Firewall logs again to see if it records blocks (specially for windows exe’s)?
  3. Do you have any rule with BLOCK on your application rules?
  4. Just to be sure, Windows firewall is turned off?

Well with literal pasv it changes slightly, but it still shows a lot of commplex links.

After entering literal pasv and getting the 200 PORT:

ftp-data > commplex-link [SYN] Seq=0 Win=5840 Len=0 MSS=1460
ftp > westell-stats [ACK] Seq=522 Ack=79 Win=5840 Len=0
ftp-data > commplex-link [SYN] Seq=0 Win=5840 Len=0 MSS=1460
ftp-data > commplex-link [SYN] Seq=0 Win=5840 Len=0 MSS=1460
ftp-data > commplex-link [SYN] Seq=0 Win=5840 Len=0 MSS=1460

After that it says the connection timed out again.

I checked the firewall logs again, still only the stuff from several months ago, nothing recent.
The only application with a block rule is Comodo itself. Under Comodo it says:

Allow all outgoing requests
Block and log all unmatching requests

I can’t edit those, it says I need to do that via the predefined firewall policies.
Finally I double checked windows firewall again, it’s turned off.

Edit: Thanks for all the help Ronny and Matty, but it’s not needed anymore :slight_smile: After searching on google for “cmd prompt passive mode” I found a forum which suggested using another program that allows cmd prompt ftp with things like true passive mode and some other features. The program I found is called ncftp, I ran some tests with it and it seems to do everything I want.
So thanks again Ronny for all the help, but I’ve found another solution :smiley:
If you still like to find out what is causing my problem though I’m willing to help as it may improve the firewall, but as I seem to be the only one having this problem (or the only one using cmd prompt ftp xD) I think this can put to rest.