CPF and FTP server??

Hi everyone,
I’m trying to use CPF with Filezilla server or warftpd.
I opened port 21 and gave the application - any to any on all ports
In both I can log in with a client but the folder listing doesn’t work.
they both work perfectly when I set CPF to allow all
please help.

Doing a real fast eyeball check of the Filezilla FAQ at FileZilla Wiki, seems to explain all the various details about getting Filezilla to work with a firewall. It’s a bunch of ports that need to be opened, not just port 21. That will be true for any FTP server, not just Filezilla. It’s the way FTP works.

mcse, welcome!

Are you on the Server side of the FTP connection, or the Client side?

LM

Thank you for your answer,
I know a little about FTP but thanks for the input - I didn’t mention I opened ports 40000-40050
incoming and outgoing - I configured the FTP server to use this range for passive mode

Still I cannot list directories…
I changed the range to 50000-50100 now I do not get an error but if A user logs in he gets only root directory without the content.

I would appreciate any useful information.

Just to make sure all is clear, CFP provides a layered approach to security, with its different “Monitors.” For Outbound connection, the order will be Application first, then Network. For Inbound, that reverses.

For your server application, you need to make sure your Application Monitor rule Allows In and Out, probably to All Destination Ports would be the best way to make sure there are no conflicts.

Then in Network Monitor, you will need to specify Inbound rules to the port range you assigned the FTP server within its internal settings. So it would look something like this:

Action: Allow
Protocol: TCP
DIrection: In
Source IP: Any
Destination IP: Any (or your external IP, if it’s static)
Source Port: Any
Destination Port: Range of Ports: 40000-40050

OK. Then make sure the rule is at the top of Network Monitor (position Rule ID 0); you can Move it to that position if it’s not already there, and reboot (to clear memory and set the rule).

That should take care of it.

LM

Just to throw a wrench into the works, FTP is not a simple protocol. It embeds IP addresses into the protocol exchange, and if your server is sitting behind a NAT router, then the IP addresses the client sees aren’t the IP addresses of the server.

This has a good explanation of the protocol, and the problems, and the workarounds: The File Transfer Protocol (FTP) and Your Firewall / Network Address Translation (NAT) Router / Load Balancing Router

The usual solutions for Internet-accessible FTP servers on home LANs behind NAT routers, is to have the server as a “DMZ host” so far as the NAT router is concerned (or port-forward a bunch of stuff on the router), and use something like dyndns.org for name resolution and use only FTP PASV mode transfers.

And then you have the CFP configuration on your server, which you will definitely need.

Hi again
I did all that bifore :
1.open port 21 in/out any to my Ip
2.open port range in/out
3.server application any to any all ports in/out

I can log in but in passive mode I can’ see anything in the root directory.
In active mode all is wel

most clients run in passive mode by default, how can I fix passive mode function?

Time for some debugging then…

First up, do some logging. In CFP, create a rule that does “block all and log”. Probably after your rule to accept port 21/tcp. What you want to do, is to see the port and IP address of the inbound client connection. The CFP Activity Logs will give that to you. Once you have that, then you can craft the necessary ports. It will also tell you whether or not the client is even getting in. Once you find that out, you can remove your “block all and log” rule.

If your FTP client is on your LAN, as a second machine, the CFP logging will probably tell you all you need to know.

If your FTP client is on the Internet, then your router has to be configured to allow port 21/tcp and the passive ports to get thru to your FTP server. That will require you to have a static LAN address that the router will forward to. You’d need to use a static LAN address as a DMZ host configuration, if you use that method, rather than port forwarding.

If you can, get things working using a LAN client, so you don’t have the router configuration potentially confusing things. There is a lot going on, and things are best done in stages, getting one thing working at a time.

This rule should already be in place, at the very bottom of your Network Monitor. It should be something like: Block & Log, IP, In/Out, Source/Destination IP: Any, IP Details: Any.

To give you some detail on using the logs advantageously, go to activity/Logs. Right-click any entry and select “Clear all logs.” Then try to connect to the FTP Server (or have someone do it for you), using Passive mode.

Then go back to Activity/Logs. Right-click an entry and select “Export to HTML.” Save the file and reopen it (opens in browser). The bottom is the oldest entry.

You can either review the logs and modify the rules yourself, or do the following: From the bottom, Highlight and Copy approximately six entries. Then Paste into your next post here in the forums. If your external IP address shows in the entries (it will match up with the IP showing in the lower-right corner of your posts here), you may mask it with “x” for privacy.

Then we’ll look through and help you build the Network Rules accordingly.

LM

PS: I note you keep referring to In/Out Ports, such as this:

2.open port range in/out
In Network Monitor, you really should keep these types of rules separate. If you're creating dedicated Inbound rules to open ports for access, you want those separate, and at the top of the list. You should not need to create any Outbound rules, provided you have retained the default Allow TCP/UDP Out Any/Any/Any/Any rule.

Hi,

I have a very similar problem in getting Filezilla server to work on my comodo FW.

When I shut-down the FW the access is ok. But when I re-initialised comodo the FTP cannot be access.

I’ve tried different solutions offered on this forum none works for me.

So following your suggestion here is the content of the log. This was created trying to access my Server with http://www.net2ftp.com/

Date/Time :2007-11-23 21:55:25
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Incoming
Source: 192.168.2.1
Destination: 224.0.0.1
Reason: Network Control Rule ID = 5

Date/Time :2007-11-23 21:54:50
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 85.10.195.89, Port = ftp(21))
Protocol: TCP Incoming
Source: 85.10.195.89:44444
Destination: 192.168.2.10:ftp(21)
TCP Flags: SYN
Reason: Network Control Rule ID = 5

Date/Time :2007-11-23 21:54:25
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Incoming
Source: 192.168.2.1
Destination: 224.0.0.1
Reason: Network Control Rule ID = 5

Date/Time :2007-11-23 21:54:25
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 85.10.195.89, Port = ftp(21))
Protocol: TCP Incoming
Source: 85.10.195.89:44444
Destination: 192.168.2.10:ftp(21)
TCP Flags: SYN
Reason: Network Control Rule ID = 5

Date/Time :2007-11-23 21:54:15
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 85.10.195.89, Port = ftp(21))
Protocol: TCP Incoming
Source: 85.10.195.89:44444
Destination: 192.168.2.10:ftp(21)
TCP Flags: SYN
Reason: Network Control Rule ID = 5

Date/Time :2007-11-23 21:54:05
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 85.10.195.89, Port = ftp(21))
Protocol: TCP Incoming
Source: 85.10.195.89:44444
Destination: 192.168.2.10:ftp(21)
TCP Flags: SYN
Reason: Network Control Rule ID = 5

As added information here are the rules at play on my FW

rule 0 : ALLOW TCP or UDP OUT FROM IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS [Any]

rule 1 : ALLOW ICMP OUT FROM IP [Any] TO IP [Any] WHERE ICMP MESSAGE IS ECHO REQUEST

rule 2 : ALLOW ICMP IN FROM IP [Any] TO IP [Any] WHERE ICMP MESSAGE IS FRAGMENTATION NEEDED

rule 3 : ALLOW ICMP IN FROM IP [Any] TO IP [Any] WHERE ICMP MESSAGE IS TIME EXCEEDED

rule 4: ALLOW IP OUT FROM IP [Any] TO IP [Any] WHERE IPPROTO IS GRE

rule 5 : BLOCK and LOG IP In or OUT FROM IP [Any] to IP [Any] where IPPROTO is ANY

I understand that the last one is the offending one. But it is needed so not to be naked in the sun.

I probably need 1 or 2 rules place before to allow for Filezilla server to go through.

Now, what should be the rule or rules to get my FTP server accessible from the outside world?

I have no clue what so ever.

I kind of understand the principles at play here. but I don’t have the time to really get to it now.

So If you can help me I would appreciate.

Many thanks

Diphda

Hello Diphda,

From looking at your log here is a rule that might help.

ALLOW-check the checkbox to log
TCP
IN
Source IP: ANY
Destination IP: ANY or your server IP here
Source Port: ANY
Destination Port: 21

I remember another person on here couldn’t see the folders using IE7 on another brand of FTP software and we found out that we had to uncheck "Use Passive FTP(for firewall and DSL modem compatibility) under Tools>Internet Options>Advanced to be able to see the folders using IE7.

hope this helps,

jasper

Hi Jasper,
Thanks for the prompt response.

When you say “ALLOW-check the checkbox to log” Gee I don’t have the checkbox to log!
TCP
IN
These two ok!

Source IP: ANY ------I don’t have Source IP ???

Destination IP: ANY or your server IP here ---- That one is ok!

and the last two too I got them …

Source Port: ANY
Destination Port: 21

So I’m missing somthing here… And it does not work.

Cheers
Thanks for any help.

Diphda

Which version of Comodo Firewall are you using? There should be a checkbox next to the first box in each rule window that says something about “check this box to log”. If you don’t have logging enabled for the rules then you won’t be able to see what is being blocked or allowed in the log.

If you are connecting from the same machine that has the same IP address each time then you can put the IP address in the Source IP. If you are connecting from different IP addresses that change and you would have trouble keeping track of them you would need to use ANY as the Souce IP.

I went back and read the thread from the beginning and it looks like LM and grue155 have covered the firewall setup pretty thoroughly. It looks like you need to find out what ports are not getting out or in and the only way to see that is by it showing up in the log. It will be extremly hard to find out this info without log entries. What you need to do is to clear the log then try and connect so we can see what happens and what entries are there. Once you try to connect and it fails export the complete log to html then save it as a .txt file because you can’t attach an html file here, use "Additional Options to attach the saved file, and then I can convert it back to html to view it.

jasper

Hi Jasper,

In the following thread https://forums.comodo.com/help_for_v2/filezilla_ftp_server_and_comodo_fw_24-t10077.0.html

and with your help I suppose I have figure it out.

I went on the Active FTP vs. Passive FTP, a Definitive Explanation and re-read the document there on Active vs passive FTP. To make sure I do understand here is the process to enable the FTP server to work properly.

First, here is the configuration of the applications in play.

I’m using Comodo Firewall version 2.4.18.184 with Comodo Applications database version 3.0

The FTP server is FileZilla Server ver 0.9.24

Note: Having configure my FTP server in passive mode with my external IP address and set the port to the same range as above. To test my connection I used “http://www.net2ftp.com/

I’m behind a DSL modem with the proper redirection for FTP on port 21 (that is working)

Now I need to validate 2 things:

There is the Network monitor window “Network control Rules”
and
There is the Application Monitor Window “Application Control Rules”

First let talk about the “Network control Rules”

So I added two rules in between rule 4 and rule 5 (ref my previous post) in the Network monitor window “Network control Rules”

Originally these rules 4 and 5 where:

rule 4: ALLOW IP OUT FROM IP [Any] TO IP [Any] WHERE IPPROTO IS GRE

rule 5 : BLOCK and LOG IP In or OUT FROM IP [Any] to IP [Any] where IPPROTO is ANY

With the addition of two new rules, the old rule 5 is now rule 7.


rule 5 now read:

ALLOW and LOG TCP IN FROM IP [Any] TO IP 192.168.2.10 WHERE SOURCE PORT IS [Any] AND DESTINATION PORT is 21

Because in passive mode the FTP server and The Client speak on port 21

rule 6 read :

ALLOW and LOG TCP IN FROM IP [Any] TO IP 192.168.2.10 WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS 40000 - 40050

Question:

Are these rules valid and secure (not defeating the other rules of the firewall e.g. the last rule 7)?


Now let talk about the Application Monitor Window “Application Control Rules”

What should be added there?

Why?
Because in the Application Monitor Window the entry related with FileZilla server generated by Comodo (application rule) when you start for the first time the Filezilla FTP server is:

In the General Tab:
Action : ALLOW
Protocol: TCP or UDP
Direction : In

In the Destination IP Tab:
The radio button for Any is activated

In the Destination Port Tab:
The radio button for Any is activated

and in the Miscellaneaous Tab
All clear

This to me seems invalid. Oh it work but FTP is a TCP application only.

What should be put in the Application Monitor Window?

I’ve changed the application rule for

In the General Tab:
Action : ALLOW
Protocol: TCP
Direction : In

In the Destination IP Tab:
The radio button for “Single IP” is activated
ând I’ve inserted my FTP Server “IP Address”

In the Destination Port Tab:
The radio button for A single Port is activated
and I’ve inserted “Port 21”

and in the Miscellaneaous Tab
All clear

Using the Web net2FTP, I’ve test the access and everything work fine.

Is this configuration in the Application Monitor Window correct?

And finally the last question:

Having done this configuration in Comodo, is my computer still secure when the FTP server is shutdown? This leave port 21 open somehow?

Many thanks

Diphda

If I can comment here, it looks like all the rules and settings are good to go. Your new Network rule 5 and 6 look to be correct. The Application rule also looks to be correct. When the FTP server is shut down, your machine is still secure as there is nothing listening for an inbound connection. Therefore nothing can come in.

The www.net2ftp.com is an interesting web site, and evidently very useful for testing FTP configurations. But please be aware that you are giving userid-password combinations to a third party. I’d use net2ftp for testing, and when confirmed everything is working, disable that FTP userid and never ever use that password for any other purpose. This is a bit on the extreme security side, but historically is the safest course of action.

Thanks grue155

I even been able to enable the SSL/TLS portion of FileZilla server.

I will post the changed rules and settings in a new installement of CPF and FTP server??"

I take note of your recommendation for the FTPuserid and password.

:slight_smile:

Thanks

Diphda

Here we go again…

I’ve search the forum for this subject and came out empty-handed. I am still undecided if this is a bug. So I’ll query the crown wisdom on that one.

First let me update my attempt to get FileZilla server working. I’ve succeeded and I’ve decided to up the ante. I’ve enabled SSL/TLS and force explicit SSL/TLS and it does work.


rule 5 now read:

ALLOW and LOG TCP IN FROM IP [Any] TO IP 192.168.2.10 WHERE SOURCE PORT IS [Any] AND DESTINATION PORT is IN[21,990]

Because in passive mode the FTP server and The Client speak on port 21

rule 6 read :

ALLOW and LOG TCP IN FROM IP [Any] TO IP 192.168.2.10 WHERE SOURCE PORT IS [990] AND DESTINATION PORT IS 40000 - 40050

That done and working. I then change the Application Control Rules (from what I previously posted) and that is where I got a problem, if not a bug. The Application Control Rules that I’ve changed stated now:

In the General Tab:
Action : ALLOW
Protocol: TCP
Direction : In

In the Destination IP Tab:
The radio button for “Single IP” is activated
ând I’ve inserted my FTP Server “IP Address”

In the Destination Port Tab:
The radio button for A set of Ports is activated
and I’ve inserted “21,990”

and in the Miscellaneaous Tab
All clear

Here we go again…

I’ve search the forum for this subject and came out empty-handed. I am still undecided if this is a bug. So I’ll query the crown wisdom on that one.

First let me update my attempt to get FileZilla server working. I’ve succeeded and I’ve decided to up the ante. I’ve enabled SSL/TLS and force explicit SSL/TLS and it does work.


rule 5 now read:

ALLOW and LOG TCP IN FROM IP [Any] TO IP 192.168.2.10 WHERE SOURCE PORT IS [Any] AND DESTINATION PORT is IN[21,990]

Because in passive mode the FTP server and The Client speak on port 21

rule 6 read :

ALLOW and LOG TCP IN FROM IP [Any] TO IP 192.168.2.10 WHERE SOURCE PORT IS [990] AND DESTINATION PORT IS 40000 - 40050

That done and working. I then change the Application Control Rules (from what I previously posted) and that is where I got a problem, if not a bug. The Application Control Rules that I’ve changed stated now.

I’ve 2 rules for the FileZilla server one in and one out (the last one may not be needed) but it probably does not hurt.

So first the in part…

In the General Tab:
Action : ALLOW
Protocol: TCP
Direction : In

In the Destination IP Tab:
The radio button for “Single IP” is activated
and I’ve inserted my FTP Server “IP Address”

In the Destination Port Tab:
The radio button for A set of Ports is activated
and I’ve inserted “21,990”

and in the Miscellaneous Tab
All clear

Secondly the out part.

In the General Tab:
Action : ALLOW
Protocol: TCP
Direction : out

In the Destination IP Tab:
The radio button for “Single IP” is activated
and I’ve inserted my FTP Server “IP Address”

In the Destination Port Tab:
The radio button for “A single Port” is activated
and I’ve inserted “990”

and in the Miscellaneous Tab
All clear

Miracle it works.

Note: Every time I change the rules I’ve shutdown the CPF and restarted it before testing.

Now here is the fun part.

Comodo change the Application Control Rules for the FileZilla Server…?

Here is before:

http://

Here is after

The only thing is that on restarting FileZilla server CPF does not recognize it and ask me to allow.
If I check the “Remember my answer for this application” CPF erase the Application rules I had put in and replace them with his version…

Which is on the in side:

In the General Tab:
Action : ALLOW
Protocol: TCP opr UDP
Direction : In

In the Destination IP Tab:
The radio button for “Any” is activated

In the Destination Port Tab:
The radio button for Any is activated

and in the Miscellaneous Tab
All clear (gee that one didn’t change:-( )

On the Out side:

n the General Tab:
Action : ALLOW
Protocol: TCP or UDP (again…! FTP is working only on TCP why UDP)
Direction : out

In the Destination IP Tab:
The radio button for “Any” is activated

In the Destination Port Tab:
The radio button for “Any” is activated

and in the Miscellaneous Tab
All clear (Wow!)

Is this a BUG ? Because a Firewall that change the rules stipulated is doing something it should not.

Waiting for your comments and ideas…

And the Cherry on the Sunday… The FTP server still work no wonder everything is open for the Application… I hope the rules in the network monitor have precedence.

Diphda

[attachment deleted by admin]

Your post seems to have partially duplicated, which makes understanding a little awkward. My apologies if I misunderstand anything.

If I do understand your post correctly, then your Network rules are working as you expected. That’s good. But the Application rules that you put in are being replaced by generic rules. That does seem to be a program bug. You are correct in the Network rules have precedence, so the bug is not a danger to your security. The bug is still not supposed to be there.

I would suggest that you enter a support ticket to report the bug. But, as I have noticed with other such tickets, the reply has been “upgrade to the newly released CFP v3”. What you have works, and you are secure.

Thanks Grue155

If I do understand your post correctly, then your Network rules are working as you expected. That's good. But the Application rules that you put in are being replaced by generic rules. That does seem to be a program bug. You are correct in the Network rules have precedence, so the bug is not a danger to your security. The bug is still not supposed to be there.

I would suggest that you enter a support ticket to report the bug. But, as I have noticed with other such tickets, the reply has been “upgrade to the newly released CFP v3”. What you have works, and you are secure.

You read me right.

But I’m stuck I’m running Windows 2000 pro on this machine…:frowning:

Thanks

Cheers

Diphda