FTP server and CFP

good day buddies!, (:WAV)

Recently I setup my FTP server so my friends and I could share files. my worries are if I allow “any” to the application rule using port 28 it turns out that the port probe using grc’s test shows port 28 is open. What would be the safest way to configure FTP client and CFP to show that it is stealthed?. by the way, im using serv_U as my FTP server. :SMLR

You could write a rule for each friend and ALLOW only their IP address instead of ANY or you could change the rule from Allow to Block when it’s not being used.

hope this helps


most of the time there are using internet through Internet cafe’s from different location and I wastn’t
able to monitor CFP to allow them anytime if they want to transmit files. (:SAD)

Here’s the thing… CFP doesn’t hold ports open, as some firewalls do; it simply monitors & filters the traffic, based on the existing rules.

What that means is, that so long as your FTP server (the application end of it) is not actively running/listening on that port, the port will be ‘stealthed.’ The port will only be open, and traffic allowed, when the authorized application is running on that port. Thus you need to make sure that your server setup is secure, for when it’s running…


thanks little mac for the reply (:WAV)

what if I want my FTP server to run at startup and listen to port 28 can we make it stealth?

Not as far as I know. If an application is utilizing a port, that port is detectable from the outside; it doesn’t matter if the application is listening or active, as the port is in use either way.

The only thing would be to limit the Protocols used on that Port’s Inbound Rule. In other words, rather than Allow IP In, you could Allow TCP In, or Allow UDP In (or TCP/UDP, if both are needed). This would stop ICMP pings. However, I think some security sites use TCP (basically a port scan) rather than an ICMP ping, to check for “stealth” ratings. You may be able to create some of these details in the Application Monitor as well, for your FTP server app.

A further detail to add to the Inbound Rule would be to specify the Source IPs (provided that your friends are on static IPs, or a range of IPs if need be). This will limit the accessibility that way, just to increase the security a bit.

Is it possible to define, within your FTP server controls, what IPs can access it?


the thing is if i use port 21 the test shows stealthed but at port 28 its open. i use the same rule. how is that? dont want to use port 21 because some ISP are blocking it. (:SAD)

Then something must be holding port 28 open; I would look at Windows as the culprit on that. Specifically, I’d be looking at svchost.exe, although there may be other options. Unfortunately, you can’t just block svchost, as it’s needed for other aspects of connectivity. It can be blocked, but it’s not simple, and must be very specific/selective.


thanks mac for the info :■■■■

Hi Little Mac!

Just got the info on port usage using cport and detected that only my ftpserver hold the port 28. is there any work around on this issue on CFP? (:SAD)

You may want to file a ticket with Support on this. If you’ve got the exact same rule for both port 21 & 28 and have the FTP server running when you test, but getting different results, there must be something different about the way the FTP server is using the port. That gets a little further beyond the level of help I can offer, unfortunately.

http://support.comodo.com/ You’ll need to register there; the forum’s registration doesn’t cross over. Please let them know that it’s for the current public release of the FW, v2.4, that you have already been in the forums (giving a link back to this topic would be good), and that a Forum Moderator advised you to file the ticket with them for more detailed assistance.