FTP/Firewall problems on XP Pro



Hi All,

I've got a problem with several different XP Pro clients with the
built-in firewall enabled, trying to put files on an FTP server.
Hope someone out there can help me solve this. Would rather not begin
installing 3'rd party products or anything.

The connection seems to be created fine many times, but every now and
then it seems as if the built-in firewall drops a reply packet from
the server (or a connection (data) from the server), and the FTP
connection hangs.

I've re-produced the problem on a newly installed XP Pro, with the
firewall enabled.

Steps to reproduce:

On an XP machine with the firewall enabled, create a batch script with
the following contents:

** Begin **
@echo off
start ftp -d -s:commands.txt <ftp server>
ping -n 10 localhost >NUL
start ftp -d -s:commands.txt <ftp server>
ping -n 10 localhost >NUL
start ftp -d -s:commands.txt <ftp server>
ping -n 10 localhost >NUL
start ftp -d -s:commands.txt <ftp server>
ping -n 10 localhost >NUL
start ftp -d -s:commands.txt <ftp server>
ping -n 10 localhost >NUL
start ftp -d -s:commands.txt <ftp server>
** End **

Replace <ftp server> with the name or IP address of the FTP server you
wish to use.

And in the same location, create a text file named "commands.txt" with
the following contents:

** Begin **
<60 lines of ls>
** End **

Replace <username> and <password> with your credentials, and <60 lines
of ls> with, well... 60 lines of "ls" commands.

Each "ls" command makes the client use a new port number, for the FTP
server to send the data to.

If you disable the firewall, you can almost start as many instances of
the batch script as you like, but with the firewall enabled, you'll
probably start noticing problems if you start two or more instances
simultaneously (at least i do).

I suspect the problem of getting worse, if the client PC is heavy

I can't say for sure that it is always so, but a lot of the time, it
appears to happen mostly to high number ports (above 5000).
I have for sure also seen it on lower ports, but i don't see that at
this moment.

I realize that there may be an issue with the ephemeral port range,
but i think that if that was the problem, disabling the firewall
should not make any difference. Besides, cancelling the hung
connection immediately, makes that series of "ls" commands continue as
nothing happened (usually).

Also, raising the MaxUserPort just seems to raise the high number
ports that gets blocked by the firewall.

Another test i have made, is to install the Free Edition of the
ZoneAlarm Firewall, and the problem seem to disappear when using that
instead of the built-in firewall.

Have also tried making some exceptions in the firewall, but nothing
seems to help. Actually, at some point, it seemed as if making *any*
change to the firewall settings, triggered something and connections
started dropping.

Can there be done anything to tweak the firewall?
Or to make certain traffic bypass it alltogether?

As i understand it, the alg.exe has to get it's hand on the FTP
connection to allow the data connection through the firewall.
But can there be something in that proces that just doesn't happen
quick enough? That is, the firewall drops the connection before the
alg has a chance to open it?

Any ideas?


Sune T. Tougaard

Hi again,

Actually, i just tried something i didn't think of before.
Raising til MaxUserPort to 60000 seems to solve the problem.

(probably something lower than that will be sufficient)

I'd still like any comments, though.




Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question