FTP traffic via CIS Firewall

Mythzz · February 28, 2019, 3:38pm

Hi All, Im currently trying to setup my PC as an FTP Server. Ive followed a lot of the articles online and I have everything setup properly in terms of my Router, IIS8, and the last bit is the CIS firewall.

For comparison, I`ve been able to set this up for 443 and it still continues to work via CIS11. All I had to do was Apply a Global Rule (unsure if this is really the best way to do it)

From within the LAN (localhost) I`m able to access the FTP Site.

However when i applied a similar rule (which I did for 443) to make FTP work, I`m still unable to reach my PC externally. I applied a Allow rule under Global rules, and under Application Rules too.

The global rule looks something like this:

Source Address : ANY
Dest Address : My PC`s MAC
Source Port : ANY
Dest Port : 21

I did look through a couple of articles :
https://forums.comodo.com/empty-t16811.0.html
https://forums.comodo.com/frequently-asked-questions-faq-for-comodo-firewall/quick-question-how-to-open-ports-for-ftp-server-t9635.0.html

If I disable the CIS Firewall, my FTP from the outside works fine.

Am I missing something? Any help would be appreciated.

futuretech · February 28, 2019, 4:57pm

Does it work if you change the destination address to any instead of MAC address? If yes then you either typed out the MAC wrong or used the wrong network adapter MAC. Also make sure the application is actually listening on port 21, use tcpview or killswitch to check.

Mythzz · March 1, 2019, 8:29am

Thanks futuretech.

Does it work if you change the destination address to any instead of MAC address? If yes then you either typed out the MAC wrong or used the wrong network adapter MAC.
→ I tried that as well, no go. I typed in the MAC and IP manually just to be sure.

Also make sure the application is actually listening on port 21, use tcpview or killswitch to check.
→ It is, it logs the incoming connections Local Port as FTP<21>, when i try from the outside. Plus the FTP website in IIS is bound correctly to port 21.

Just to re-iterate, I did simply disable the CIS firewall without changing any settings and I noticed I can reach my FTP site from the Internet, without any problems.

I noticed another symptom…The external connection isnt completely blocked. I can see the authetication prompt from IIS. But after you put in the creds it times out.

After a while of tinkering.......Hers what worked:

I simply made the following changes to the global rule:

FROM:
Source Address : ANY
Dest Address : My PC`s MAC
Source Port : ANY
Dest Port : 21

TO:
Source Address : ANY
Dest Address : My PC`s MAC
Source Port : ANY
Dest Port : ANY

Many thanks again Futuretech!!! Perhaps i dont understand how FTP works . Maybe it uses a dynamic range vs just 21. Gotta read up some more.