Comodo Firewall + ftp server doesn't work well

Hi
I run ftp server on my WinXP Pro. Users can only connect when Comodo is set “allow all”. I would like to use my ftp on “custom”. I’ve already set rules to allow all ports, allow in, allow out, allow tcp, allow udp, skip advanced security checks but nothing helps ??? where is the problem? Does Comodo support ftp servers?
my ftp server is Guild FTPd: http://www.guildftpd.com/
thx in advance

Does your log show anything being blocked?

jasper

Comodo logs shows “Inbound policy violation” (access denied, ip=…, port=ftp(21)) for ip of friend who tried to enter ftp

also on “custom” setting I can’t ping my computer (this is sometimes good) and most important thing for me I cannot use remote desktop :frowning:

For starters write this rule and put it above any block rules(very important):

[b]ALLOW-check the checkbox to allow logging this rule
TCP
IN

Source Address: ANY- Can use actual IP addresses here if you know everyones IP that will use it
Destination Address: ANY or Your own IP address
Source Port: ANY
Destination Port: 21[/b]

This rule should get your FTP working.

As far as the ping you have to make a rule to allow ICMP out from your computer so the firewall will allow it. If you need more help please post back and myself or someone else will gladly help you.

jasper

EDIT: Forgot to add this. If you use ANY as the source address then you are allowing anyone to access your ftp server. A better option is to make a rule for each person that will be accessing it. If there are too many then you could just set the rule to BLOCK when you don’t want anyone to access it.

wow, I didn’t even knew I can browse/edit/create a block/allow scripts :slight_smile: found it in network monitor. I’ve add a rule you’ve told me and it looks quite good… Total Commander can use ftp with no problem but via explorer, there are no any files/dirs apear in the window, user has rights to LIST. I can manualy (write dir name at the end of address) enter to some directory but I can’t list anything. READ works well in explorer, only list makes problem

Ok, the log stuff you posted is from the ftp server connecting, am I right?

I am assuming you are talking about accessing the ftp server from your machine. So you are saying that it won’t list the files in the folder from your machine using a browser(Internet Explorer)?

If you go to “Tools>Internet Options>Advanced” in IE is “Enable FTP folder view(outside of Internet Explorer)” checked?

Also can other users view the files from the outside? Check the firewall log again to see if something is being blocked.

jasper

to this rule i’ve add 3389 port and now remote desktop works fine.

but ftp…
Internet explorer, ftp folder view is checked.

I’m still testing ftp from localhost and from remote computer, almost same problem with LIST on both.
why almost, on localhost i just don’t see the files, on remote computer i got a message “you don’t have permission”. list rights are correct so i can’t figured out what’s wrong

I also notice when I do LIST using totalcmd my comodo Activity->Connections show some more ports than just 21 ??? don’t know if it should use some other ports than 21 ???

http://img96.imageshack.us/img96/4540/55833574ex3.jpg

2045 and 2049 but next time those ports are different so I cannot even use those ports to my allowed rule

ok this should help to solve the problem (localhost):

  • guildftpd log while using internet explorer
noop
200 NOOP command successful.
CWD /
250 "/" is current directory.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (x,x,x,x,8,218)
LIST
150 Opening ASCII mode data connection for /bin/ls (111 bytes).
226 Transfer successful.
  • guildftpd log while using totalcmd
USER x
331 User name okay, Need password.
PASS 

230 User logged in.
SYST
215 UNIX Type: L8 Server
FEAT
500 'FEAT': command not understood.
PWD
257 "/" is current directory.
TYPE A
200 Type set to A.
PORT x,x,x,x,8,250
200 PORT command successful.
LIST
150 Opening ASCII mode data connection for /bin/ls (111 bytes).
226 Transfer successful.

ok let me install the ftp server so I can get a handle on it to see how it operates and I will get back with you.

One thing, if the firewall log(Activitey>Logs) is showing anything being blocked then you will have to write a rule for it so that it will be allowed.

Back in a while.

jasper

some addition info:
remote IE can’t do LIST, but remote FF can do it, and it returns that:

GuildFTPd FTP Server (c) 1997-2002
Version 0.999.14

FTP Directory: ftp://x [ at ] x.no-ip.x/

[DIRUP] Parent Directory (Root Directory)
[DIR]  dir1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 18 15:57        
[DIR]  dir2..... . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun 29  1:09        

Generated Sat, 30 Jun 2007 19:06:20 GMT by squid.wsisiz.edu.pl (squid/2.6.STABLE13) 

my home FF can’t do LIST, so it looks like my remote FF is same advanced as totalcmd :slight_smile: anyway i would like my ftp more universal, not only for totalcmd users.
I will notice that Comodo “allow all” setting solve this problem.

log shows that Comodo blocked ip of person who tried to LIST (via IE) on port 2848, this port is (at least I think it is) random, so I can’t make rule to allow this port

I finally figured out how to get the connection with IE. Was very simple actually.

I was able to get IE working by going to “Tools>Internet Options>Advanced” and unchecking "Use Passive FTP(for firewall and DSL modem compatibility)

I was able to connect either with an ftp client or IE or Firefox.

I used “ftp://server IP address” in the address window of the browser. A login pop-up comes up for the username and password and am able to see all of the files and folders.

I have a router so I had to also forward port 21. I also made a rule to allow port 21 IN.

EDIT: I always forget something when I post. You can also open any explorer window and type in “ftp://server IP address” in the address window and it should give you a login window and the files look just like a windows folder.

hope this helps.

jasper

ok thx and congratulation :beer:
overall I think the devoloper team should take a look at this, cause you cannot except that every user will know how to use your ftp. No problem when it’s small ftp, but whats when it’s big public ftp? if Comodo want to be the best it should work on it :wink:
cheers (:WAV)

edit: oh and this could be added into FAQ

The problem with IE not connecting wasn’t the firewall it was a setting in IE. With the default settings on CFP and the Network Zone set up properly a regular user should be able to connect to an ftp server without any problems as long as the setting in IE is changed.

As far as the setup of the ftp server itself so it can be used with a firewall, well, that is how you would have to set it up with any firewall and not just CFP exclusively.

Anyway on the Source Ports changing each time a user logs in just use “ANY” there because there is no way that you can keep up with the port changing randomly on their end.

jasper