FTP Client Ruleset

There have been a number of threads about problem with FTP clients, mostly caused by a missing rule in the FTP Client ruleset and Web Browser ruleset and another in the global ruleset when a “block all” is present. So rather than chasing them all down I will try to summarize.

For the FTP client ruleset, use the attached baseline set of rules which allow for both active and passive FTP.

You also need to add the passive FTP rule to your Web Browser ruleset if you are using your web browser as an FTP client

For the Global ruleset, add a rule for active FTP to “allow/TCP/IN/ANY/ANY/20/ANY” ahead of the block and log. You will need to do this for every inbound connection allowed by the application rules.

I actually prefer to add the block and log at the end of the application rules, instead of the global rules, but this causes problems for the automatic rule generation in Comodo. For using a new program, I change the default “allow out” rule anyway, so I just add it manually ahead of the block.
But generally simpler for most users to use the global rules. I am handicapped in that installing 3.0.14 had a problem that wiped out the global rules, so I don’t know what they are. :wink:

[attachment deleted by admin]

Cool, thanks. My first predefined rule and it worked! Prior to that I needed to set my FTP client as atrusted app.

Comodo’s FTP rule wouldn’t allow me to connect with the server…

Thanks sded:

I had problems with my WS_FTP95 LE connecting, until I set my Ftp Client Custom Policy in CFP v3.0.14 to :
“Allow All Incoming and Outgoing Requests” as the only rule.

Have I compromised my firewall protection by doing this? I am behind a Linksys router, if that makes any diff.

Not really much of a security issue. Many users want to allow the minimum capabilities, but if you know and trust the program it doesn’t hurt to allow a little extra. For new programs, what you want is enough rules to be sure that if it says it is an FTP program, it doesn’t send email or browse the web. :wink: Your Linksys router will take care of most of the incoming bad guys; Comodo rules will take care of the rest along with the outgoing.

Much obliged!

The pre-defined FTP rules in the latest version don’t seem to work. I’ll be applying these again.

Edit: Yup, all I needed to do was add the passive rule.

Yes, the passive FTP rule is still missing in .276. There is a loopback rule now, but I don’t think FTP proxies are very common. Easy fix, though. Also missing from the Web Browser rules.

Well, I can tell you that Firefox’s [FREE] add-on, FireFTP works perfectly on my laptop with no rules to be made at all!

pardon me for my ignorant, but how do I define this passive ftp rule? I mean, in the form of allow/block/sourceIP/destIP/sourcePort/Destport?

allow/tcp/out/any/any/any/any :slight_smile:

Thanks Sded.

My real problem is, I actually wanted to enable ftp service from my PC so that occasionally I can download some data/files from my PC at customer’s place. I just couldn’t figure out the correct allow/block combination. in most cases, I would get a pop up from Firefox (latest) a dialog window saying “error 425”. How should I go about configuring it?

Don’t quite understand your problem. Do you want to download data from your computer to other computers using ftp or ? If you just want to move data around, in quantities less than a few GB, the easiest way I have found is a cheap USB flash drive, so you don’t need to configure an ftp server on your machine-Filezilla and others will support it, but sounds like overkill for your situation.

And the definition…

Allow Outgoing Passive FTP TCP Connection Requests to all ports.

Just the other day I tried to download a FTP file on Firefox and got the same 425 error. I added the above rule to my browser rules in the same position as the FTP rule and it worked fine.

There are times that I need to provide program patches/support to customers hundreds of miles away. Used to be able send them via e-mail but now most ISP mail services would not allow one to send .exe as an attachment. So a work around is to let them download from our machines. I can actually got it working, as long as I do not have a “catch all” (Block In & Out Any/Any/Any/Any) as the last setting in my global rules but I don’t like that. Feel kind of a naked… you know…

Did you put the “allow” rules ahead of your block all for active ftp? You can do that without opening all your ports up if your cusromers will use active ftp-ie or any real ftp client will do it.
allow/tcp/in/any/any/any/21
allow/tcp/out/any/any/any/20
and also for your ftp server

yes. tried all these again but Ftp wouldn’t work as long as the catch all is there… apparently after initial connection using port 21, it wants to open a series of other ports so the catch all, well as its nature, catch them all! Actually, had the same problem with other programs that wanted to open a range of ports (randomly) after initial connection.

That’s why I suggested a switch to ACTIVE ftp that only uses ports 21 for control and 20 for data on the server side (you). :slight_smile: It is a setting in IE and in most ftp clients to use active or passive ftp. See http://www.slacksite.com/other/ftp.html for example. You need to run an ftp server on your side ( I have heard filezilla is ok) set up to support active ftp from the clients, with ports 20 and 21 opened up per the previous rules. Then, on your customer machines, you need to set the ftp client to active ftp to do the download. If you don’t have a static IP, you will need to know your current IP or use one of the referral services.

Just a thought; have you got Windows Firewall Running as well as Comodo Firewall.
I had problems with FTP even after making the rules shown at the beginning of this thread.
After a new install I had inadvertently left Windows FW on.
Switching it off cured the problem and FTP now works. :slight_smile:

Mike.

Filezilla Server, Filezilla Client, Comodo Firewall happy user here. (:LOV)

i think they must resolve this bug because i’mnot able to ftp to my xbox using flashfxp even if it is set as trusted application and the zone is a trusted zone. can you help me?