I see that moving the block all to the application rule interferes with the automatic generation of rules for new applications-So leaving it in the global rules and adding allow port 20 input ahead of it is the easiest solution.
Hi,
I’ve been trying to use my FTP client (SecureFX) with Comodo Firewall Pro 3.0.14.276, but no matter what I do, it doesn’t seem to work.
Just as a test, I set the first global rule to Allow / IP / In/Out / Any / Any / Any, moved the application setting for SecureFX to the top of the list, and added the rule Allow / IP / In/Out / Any / Any / Any. But even then, it still doesn’t work (neither active nor passive connections work).
Using net2ftp on my locally running web server doesn’t work either. For purposes of testing, every application is also set to Allow / IP / In/Out / Any / Any / Any.
Here are my global rules and an excerpt from my application rules (starting at the top):
Global: ImageShack - Best place for all of your image hosting and image sharing needs
Application: ImageShack - Best place for all of your image hosting and image sharing needs
The firewall is definitely causing the problem, as disabling it allows me to access FTP without any issues. I’d like to not have to install another FTP client (I need this one because I access some FTP servers over SSH - which seems to work without any issues whatsoever) if at all possible (although I’d settle for just getting net2ftp work if there’s really no way around it).
Thanks in advance!
Suggest you add log to the existing rule for securefx so we can see exactly what it is asking to do. Also add a block and log all at the end of your application rules. Are you saying that SFTP over SSH works, but FTP over SSL does not? There may well be other programs (proxies) in the sequence, but I don’t use securefx or sftp. Do you get any popups or log entries when you use securefx?
Hi sded,
Thanks for the quick response. So I checked the “Log as a firewall event if this rule is fired” for both the application rule and global rule, and got a few entries (oddly enough, it took me about 10 tries to get anything logged apart from requests to IANA addresses). But there are a few blocked entries for “Windows Operating System” from the IP address of my FTP server (on port 20) to my computer (on port 5001).
That’s even more confusing though. Here’s my new set of application rules (I explicitly allowed the FTP server in the first rule): ImageShack - Best place for all of your image hosting and image sharing needs. From what I can tell, System shouldn’t be blocking anything at all (global rules are the same as before except that the first rule is now logged).
But yes, SFTP over SSH works perfectly, but FTP (no SSL) does not. The other thing is that I can log into the server, but when the client tries to get the directory listing, it hangs. Here’s the SecureFX log (login information obscured):
i Session 00004 established for session ftp..com
i Control connection successfully established.
< 220 ProFTPD 1.3.0 Server (ProFTPD) [...*]
i Time zone of server could not be determined.
USER *****
< 331 Password required for .
PASS
< 230 User ***** logged in.
SYST
< 215 UNIX Type: L8
i Remote operating system type is UNIX.
PWD
< 257 “/” is current directory.
TYPE A
< 200 Type set to A
PORT ,,,*,9,165
< 200 PORT command successful
LIST -a
< 425 Unable to build data connection: Connection timed out
i Data connection failure reported on listening socket 71AB3B91 (995).
< 421 No Transfer Timeout (300 seconds): closing control connection.
i Control connection closed with error code 10054.
There were no alerts from the firewall during the entire process (alert settings set to Very High). Any new insights?
OK, if it’s plain FTP that doesn’t work, your inputs on port 20 are just active FTP setup and there is no PASV in your logon sequence. Can’t see your destination port though, which could be any of the high ports. Don’t know why what you have doesn’t work, but try allow/tcp/in/any/any/20/any and allow/tcp/out/any/any/any/21 under securefx and you can particularize your server if that works. And check the log again-the blocks from port 20 are normally under the client, not the OS. But if that is what it takes to get it working, you can try adding the port 20 rule under WOS too. There may be sequence of connections required. If you don’t already have any WOS rules, you can add it by going to add/select/running processes under the networki policies and selecting WOS.
It works! 
Well, after adding the FTP rules for the Windows Operating System anyway. I guess SecureFX does some weird things with connections. Thank you very much!
Glad it’s working for you. Don’t know why SecureFX deals through WOS for active mode-rechecked with Filezilla, and active FTP works fine without the WOS rule. Oh well, at least the block and log finds this stuff. I actually have one at the end of each rule set because of seeing things like this occasionally. You can do the particularization now for your server and system but might want to leave the block and logs around anyway-see attached for what I do for the system functions.
[attachment deleted by admin]
Yeah, SecureFX actually connects through WOS in passive mode also - not quite sure why. But in any case, I just decided to treat WOS as an “FTP client” since it doesn’t seem to need Internet access for anything else (based on my logs thus far).
Oh, and net2ftp also seems to rely on WOS for connectivity (not sure why). Just in case that ever comes up again.