Problem windows XP SP2 firewall FTP

[sfn]

Some problems with windows firewall and ftp...


The ftp-client I use, runs fine when windows firewall is off.
If firewall is on and the ftp-client is even as an allowed
app in the settings of the firewall, it doesn't work.

But there were no drops in firewall's log file!

A look with ethereal shows, that one IP-Flag at the end of
the ftp transfer differs if the firewall is on or off.

When off, I see the FIN,ACK flag (--> OK)
When on, it's the RST,ACK flag
and cause of this it obviously makes the protcol repeating
and repeating until the ftp-client pops up for timeout.

I think that this behaviour is rarely strange, so it has nothing
to do with with passive or active ftp-mode.

The only thing I know about the ftp-client is, that it use
the Microsoft Foundation Classes (MFC-Libs) for FTP communication.

any help is very appreciated!

Sebastian

 

[Galen]

In sfn <[email protected]> had this to say:

My reply is at the bottom of your sent message:

Some problems with windows firewall and ftp...


The ftp-client I use, runs fine when windows firewall is off.
If firewall is on and the ftp-client is even as an allowed
app in the settings of the firewall, it doesn't work.

But there were no drops in firewall's log file!

A look with ethereal shows, that one IP-Flag at the end of
the ftp transfer differs if the firewall is on or off.

When off, I see the FIN,ACK flag (--> OK)
When on, it's the RST,ACK flag
and cause of this it obviously makes the protcol repeating
and repeating until the ftp-client pops up for timeout.

I think that this behaviour is rarely strange, so it has nothing
to do with with passive or active ftp-mode.

The only thing I know about the ftp-client is, that it use
the Microsoft Foundation Classes (MFC-Libs) for FTP communication.

any help is very appreciated!

Sebastian

With your FTP client set it to use PASV or "passive" when the firewall is
on? I'd try that and see if it helps. It varies per FTP client but it should
be an option.

Galen
--

"But there are always some lunatics about. It would be a dull world
without them."

Sherlock Holmes

 

[sfn]

Yes I'did set it to PASV Mode, at least I think so.

Which ports do I have to see in a sniffer log when I do passive
FTP ?
(I mean in all communication, data and commands)

Perhaps the MFC Classes in the ftp-client work wrong
with FLAG "INTERNET_FLAG_PASSIVE" and GetFtpConnection(...,TRUE)

 

[Galen]

In sfn <[email protected]> had this to say:

My reply is at the bottom of your sent message:

Yes I'did set it to PASV Mode, at least I think so.

Which ports do I have to see in a sniffer log when I do passive
FTP ?
(I mean in all communication, data and commands)

Perhaps the MFC Classes in the ftp-client work wrong
with FLAG "INTERNET_FLAG_PASSIVE" and GetFtpConnection(...,TRUE)

The same ports are used IIRC. It's the client that need be set to use PASV
with a firewall in place. I don't know what client you use but it's an
option in *most* clients. Beyond that if you're having problems with it I'm
not really sure what to say as that's the only cause that I am aware of.
From the looks of things it's as if you're getting acknowledgement but how
far into the login process is the client getting? Can you FTP to the server
with IE? Command line?

Galen
--

"But there are always some lunatics about. It would be a dull world
without them."

Sherlock Holmes

 

[sfn]

I show You an incomplete extract of the log file, wehre You can see
what happened:

No. Source Destination Protocol Info
222 10.0.1.49 10.0.1.26 FTP Response: 220 dcpu2 FTP server
(Version 6.2/OpenBSD/Linux-0.10) ready.
223 10.0.1.26 10.0.1.49 FTP Request: USER xyz
224 10.0.1.49 10.0.1.26 TCP ftp > 4352 [ACK] Seq=63 Ack=19
Win=32120
225 10.0.1.49 10.0.1.26 FTP Response: 331 Password required for
xyz.
226 10.0.1.26 10.0.1.49 FTP Request: PASS xyz
227 10.0.1.49 10.0.1.26 TCP ftp > 4352 [ACK] Seq=103 Ack=41
Win=32120
228 10.0.1.49 10.0.1.26 FTP Response: 230- Have a lot of
fun....
229 10.0.1.26 10.0.1.49 TCP 4352 > ftp [ACK] Seq=41 Ack=131
Win=17390
230 10.0.1.49 10.0.1.26 FTP Response: 230 User serviceuser
logged in.
231 10.0.1.26 10.0.1.49 FTP Request: CWD /servdir/service/
232 10.0.1.49 10.0.1.26 FTP Response: 250 CWD command
successful.
233 10.0.1.26 10.0.1.49 FTP Request: TYPE I
234 10.0.1.49 10.0.1.26 FTP Response: 200 Type set to I.
235 10.0.1.26 10.0.1.49 FTP Request: PASV
236 10.0.1.49 10.0.1.26 FTP Response: 227 Entering Passive Mode
(10,0,1,49,156,64)
237 10.0.1.26 10.0.1.49 TCP 4353 > 40000 [SYN] Seq=0 Ack=0
Win=16384 L
238 10.0.1.49 10.0.1.26 TCP 40000 > 4353 [SYN, ACK] Seq=0 Ack=1
Win=
239 10.0.1.26 10.0.1.49 TCP 4353 > 40000 [ACK] Seq=1 Ack=1
Win=17520 L
240 10.0.1.26 10.0.1.49 FTP Request: STOR GSM_FTP_PUT
241 10.0.1.49 10.0.1.26 FTP Response: 150 Opening BINARY mode
data connection for 'GSM_FTP_PUT'.
242 10.0.1.26 10.0.1.49 FTP-DATA FTP Data: 94 bytes
243 10.0.1.49 10.0.1.26 TCP 40000 > 4353 [ACK] Seq=1 Ack=95
Win=32026
244 10.0.1.26 10.0.1.49 TCP 4353 > 40000 [FIN, ACK] Seq=95
Ack=1 Win=
245 10.0.1.49 10.0.1.26 TCP 40000 > 4353 [ACK] Seq=1 Ack=96
Win=32120
246 10.0.1.49 10.0.1.26 TCP 40000 > 4353 [FIN, ACK] Seq=1
Ack=96 Win=
247 10.0.1.26 10.0.1.49 TCP 4353 > 40000 [ACK] Seq=96 Ack=2
Win=17520
248 10.0.1.26 10.0.1.49 TCP 4352 > ftp [ACK] Seq=96 Ack=319
Win=17202
249 10.0.1.49 10.0.1.26 FTP Response: 226 Transfer complete.
250 10.0.1.26 10.0.1.49 FTP Request: RNFR GSM_FTP_PUT
251 10.0.1.49 10.0.1.26 FTP Response: 350 File exists, ready
for destination name
252 10.0.1.26 10.0.1.49 FTP Request: RNTO service.req
253 10.0.1.49 10.0.1.26 FTP Response: 250 RNTO command
successful.
254 10.0.1.26 10.0.1.49 TCP 4352 > ftp [RST, ACK] Seq=132
Ack=418 Win=0
255 10.0.1.26 10.0.1.49 TCP 4356 > ftp [SYN] Seq=0 Ack=0
Win=16384 Le
256 10.0.1.49 10.0.1.26 TCP ftp > 4356 [SYN, ACK] Seq=0 Ack=1
Win=32120
257 10.0.1.26 10.0.1.49 TCP 4356 > ftp [ACK] Seq=1 Ack=1
Win=17520 Le
258 10.0.1.49 10.0.1.26 TCP 1272 > auth [SYN] Seq=0 Ack=0
Win=32120 Len
259 10.0.1.49 10.0.1.26 TCP 1272 > auth [SYN] Seq=0 Ack=0
Win=32120 Len=0 MSS=1460 TSV=72948 TSER=0 WS=0
260 10.0.1.26 10.0.1.49 TCP 4356 > ftp [RST, ACK] Seq=1 Ack=1
Win=0 Le


This log is with windows firewall ON.
At line 254 You can see what I described in my first posting.
And it repeats at line 260.

When firewall is OFF, then there is the FIN flag instead of the RST.

At line 236 there is also an advice for entering the PASV Mode.

I hope this helps a bit more for clarification what I mean.

 

[Galen]

In sfn <[email protected]> had this to say:

My reply is at the bottom of your sent message:

I show You an incomplete extract of the log file, wehre You can see
what happened:

No. Source Destination Protocol Info
222 10.0.1.49 10.0.1.26 FTP Response: 220 dcpu2 FTP server
(Version 6.2/OpenBSD/Linux-0.10) ready.
223 10.0.1.26 10.0.1.49 FTP Request: USER xyz
224 10.0.1.49 10.0.1.26 TCP ftp > 4352 [ACK] Seq=63 Ack=19
Win=32120
225 10.0.1.49 10.0.1.26 FTP Response: 331 Password required
for xyz.
226 10.0.1.26 10.0.1.49 FTP Request: PASS xyz
227 10.0.1.49 10.0.1.26 TCP ftp > 4352 [ACK] Seq=103 Ack=41
Win=32120
228 10.0.1.49 10.0.1.26 FTP Response: 230- Have a lot of
fun....
229 10.0.1.26 10.0.1.49 TCP 4352 > ftp [ACK] Seq=41 Ack=131
Win=17390
230 10.0.1.49 10.0.1.26 FTP Response: 230 User serviceuser
logged in.
231 10.0.1.26 10.0.1.49 FTP Request: CWD /servdir/service/
232 10.0.1.49 10.0.1.26 FTP Response: 250 CWD command
successful.
233 10.0.1.26 10.0.1.49 FTP Request: TYPE I
234 10.0.1.49 10.0.1.26 FTP Response: 200 Type set to I.
235 10.0.1.26 10.0.1.49 FTP Request: PASV
236 10.0.1.49 10.0.1.26 FTP Response: 227 Entering Passive
Mode (10,0,1,49,156,64)
237 10.0.1.26 10.0.1.49 TCP 4353 > 40000 [SYN] Seq=0 Ack=0
Win=16384 L
238 10.0.1.49 10.0.1.26 TCP 40000 > 4353 [SYN, ACK] Seq=0
Ack=1 Win=
239 10.0.1.26 10.0.1.49 TCP 4353 > 40000 [ACK] Seq=1 Ack=1
Win=17520 L
240 10.0.1.26 10.0.1.49 FTP Request: STOR GSM_FTP_PUT
241 10.0.1.49 10.0.1.26 FTP Response: 150 Opening BINARY mode
data connection for 'GSM_FTP_PUT'.
242 10.0.1.26 10.0.1.49 FTP-DATA FTP Data: 94 bytes
243 10.0.1.49 10.0.1.26 TCP 40000 > 4353 [ACK] Seq=1 Ack=95
Win=32026
244 10.0.1.26 10.0.1.49 TCP 4353 > 40000 [FIN, ACK] Seq=95
Ack=1 Win=
245 10.0.1.49 10.0.1.26 TCP 40000 > 4353 [ACK] Seq=1 Ack=96
Win=32120
246 10.0.1.49 10.0.1.26 TCP 40000 > 4353 [FIN, ACK] Seq=1
Ack=96 Win=
247 10.0.1.26 10.0.1.49 TCP 4353 > 40000 [ACK] Seq=96 Ack=2
Win=17520
248 10.0.1.26 10.0.1.49 TCP 4352 > ftp [ACK] Seq=96 Ack=319
Win=17202
249 10.0.1.49 10.0.1.26 FTP Response: 226 Transfer complete.
250 10.0.1.26 10.0.1.49 FTP Request: RNFR GSM_FTP_PUT
251 10.0.1.49 10.0.1.26 FTP Response: 350 File exists, ready
for destination name
252 10.0.1.26 10.0.1.49 FTP Request: RNTO service.req
253 10.0.1.49 10.0.1.26 FTP Response: 250 RNTO command
successful.
254 10.0.1.26 10.0.1.49 TCP 4352 > ftp [RST, ACK] Seq=132
Ack=418 Win=0
255 10.0.1.26 10.0.1.49 TCP 4356 > ftp [SYN] Seq=0 Ack=0
Win=16384 Le
256 10.0.1.49 10.0.1.26 TCP ftp > 4356 [SYN, ACK] Seq=0 Ack=1
Win=32120
257 10.0.1.26 10.0.1.49 TCP 4356 > ftp [ACK] Seq=1 Ack=1
Win=17520 Le
258 10.0.1.49 10.0.1.26 TCP 1272 > auth [SYN] Seq=0 Ack=0
Win=32120 Len
259 10.0.1.49 10.0.1.26 TCP 1272 > auth [SYN] Seq=0 Ack=0
Win=32120 Len=0 MSS=1460 TSV=72948 TSER=0 WS=0
260 10.0.1.26 10.0.1.49 TCP 4356 > ftp [RST, ACK] Seq=1 Ack=1
Win=0 Le


This log is with windows firewall ON.
At line 254 You can see what I described in my first posting.
And it repeats at line 260.

When firewall is OFF, then there is the FIN flag instead of the RST.

At line 236 there is also an advice for entering the PASV Mode.

I hope this helps a bit more for clarification what I mean.

Hmm... Okay, so what happens if you try to get in via IE? Can you log on
with IE at all? What client is this that you're using? I see that it is in
PASV mode. It happens with PASV disabled as well?

Galen
--

"But there are always some lunatics about. It would be a dull world
without them."

Sherlock Holmes

 

[sfn]

Hmm... Okay, so what happens if you try to get in via IE? Can you log on
with IE at all? What client is this that you're using? I see that it is in
PASV mode. It happens with PASV disabled as well?

Galen

I'll try this next week (via IE and logging).
With PASV mode it happens also, as I could remember.
I got the sources of the client. It is written with the MFC C++ Classes
of
Microsoft and uses CInternetSession base class for the FTP Session.

I'd even compiled the sources against the latest version of the MFC
(7.0) ,
thinking that due the origin version of the sources (which where
developed
under MFC Version 6.0) would be too old for XP SP2 with firewall.
But nothing changed.

In fact, all others ftp-client I tested do their work under XP SP2
firewall
(the FW prompts when ftp access is made and then I press "allow")

When I use this client (and I have to, cause it's is part of an whole
app),
the microsoft firewall neither prompts me for ftp-access!
It's like You see in the log!

Using XP SP2 with another firewall (not the MS one), this ftp-client
runs as well.

So I think it has to do with the FW from MS.

Sebastian

 

[sfn]

so, here is a trace done with FileZilla FTP, which works with no
problems
when FW was activated:

No. Source Destination Protocol Info
689 10.0.1.48 10.0.1.25 FTP Response: 220 dcpu1 FTP server
(Version
691 10.0.1.25 10.0.1.48 FTP Request: USER serviceuser
692 10.0.1.48 10.0.1.25 TCP ftp > 1850 [ACK] Seq=63 Ack=19 Len=0
693 10.0.1.48 10.0.1.25 FTP Response: 331 Password required for xyz
694 10.0.1.25 10.0.1.48 FTP Request: PASS xyz
695 10.0.1.48 10.0.1.25 TCP ftp > 1850 [ACK] Seq=103 Ack=41 Win=321
696 10.0.1.48 10.0.1.25 FTP Response: 230- Have a lot of fun....
703 10.0.1.25 10.0.1.48 TCP 1850 > ftp [ACK] Seq=41 Ack=131 Win=17
704 10.0.1.48 10.0.1.25 FTP Response: 230 User xyz logged in.
707 10.0.1.25 10.0.1.48 FTP Request: FEAT
708 10.0.1.48 10.0.1.25 FTP Response: 500 'FEAT': command not under
709 10.0.1.25 10.0.1.48 FTP Request: SYST
710 10.0.1.48 10.0.1.25 FTP Response: 215 UNIX Type: L8 (Linux)
711 10.0.1.25 10.0.1.48 FTP Request: PWD
712 10.0.1.48 10.0.1.25 FTP "Response: 257 ""/servdir"" is current
713 10.0.1.25 10.0.1.48 FTP Request: PORT 10,0,1,25,19,137
714 10.0.1.48 10.0.1.25 FTP Response: 200 PORT command successful.
715 10.0.1.25 10.0.1.48 FTP Request: TYPE A
716 10.0.1.48 10.0.1.25 FTP Response: 200 Type set to A.
718 10.0.1.25 10.0.1.48 FTP Request: LIST
719 10.0.1.48 10.0.1.25 TCP ftp-data > 5001 [SYN] Seq=0 Ack=0 Win=
720 10.0.1.25 10.0.1.48 TCP 5001 > ftp-data [SYN, ACK] Seq=0 Ack=1
721 10.0.1.48 10.0.1.25 TCP ftp-data > 5001 [ACK] Seq=1 Ack=1 Win=3
722 10.0.1.48 10.0.1.25 FTP Response: 150 Opening ASCII mode data c
723 10.0.1.48 10.0.1.25 FTP -DATA FTP Data: 141 bytes
724 10.0.1.48 10.0.1.25 TCP ftp-data > 5001 [FIN, ACK] Seq=142 Ack=
725 10.0.1.25 10.0.1.48 TCP 5001 > ftp-data [ACK] Seq=1 Ack=143 Win
728 10.0.1.25 10.0.1.48 TCP 5001 > ftp-data [FIN, ACK] Seq=1 Ack=1
729 10.0.1.48 10.0.1.25 TCP ftp-data > 5001 [ACK] Seq=143 Ack=2 Wi
735 10.0.1.25 10.0.1.48 TCP 1850 > ftp [ACK] Seq=95 Ack=371 Win=171
736 10.0.1.48 10.0.1.25 FTP Response: 226 Transfer complete.
745 10.0.1.25 10.0.1.48 TCP 1850 > ftp [ACK] Seq=95 Ack=395 Win=171
822 10.0.1.25 10.0.1.48 FTP Request: CWD service
823 10.0.1.48 10.0.1.25 FTP Response: 250 CWD command successful.
824 10.0.1.25 10.0.1.48 FTP Request: PWD
825 10.0.1.48 10.0.1.25 FTP "Response: 257 ""/servdir/service"" is
826 10.0.1.25 10.0.1.48 FTP Request: PORT 10,0,1,25,19,138
827 10.0.1.48 10.0.1.25 FTP Response: 200 PORT command successful.
828 10.0.1.25 10.0.1.48 FTP Request: TYPE A
829 10.0.1.48 10.0.1.25 FTP Response: 200 Type set to A.
830 10.0.1.25 10.0.1.48 FTP Request: LIST
....
991 10.0.1.48 10.0.1.25 TCP ftp-data > 5004 [SYN] Seq=0 Ack=0 Win=
992 10.0.1.25 10.0.1.48 TCP 5004 > ftp-data [SYN, ACK] Seq=0 Ack=1
993 10.0.1.48 10.0.1.25 TCP ftp-data > 5004 [ACK] Seq=1 Ack=1 Win=
994 10.0.1.48 10.0.1.25 TCP ftp > 1850 [ACK] Seq=787 Ack=240 Win=3
996 10.0.1.48 10.0.1.25 FTP Response: 150 Opening ASCII mode data c
997 10.0.1.48 10.0.1.25 FTP -DATA FTP Data: 208 bytes
998 10.0.1.48 10.0.1.25 TCP ftp-data > 5004 [FIN, ACK] Seq=209 Ack=
999 10.0.1.25 10.0.1.48 TCP 5004 > ftp-data [ACK] Seq=1 Ack=210 Win
1000 10.0.1.25 10.0.1.48 TCP 5004 > ftp-data [FIN, ACK] Seq=1 Ack=2
1001 10.0.1.48 10.0.1.25 TCP ftp-data > 5004 [ACK] Seq=210 Ack=2 Win
1002 10.0.1.25 10.0.1.48 TCP 1850 > ftp [ACK] Seq=240 Ack=842 Win
1003 10.0.1.48 10.0.1.25 FTP Response: 226 Transfer complete.
1020 10.0.1.25 10.0.1.48 TCP 1850 > ftp [ACK] Seq=240 Ack=866 Win=
1190 10.0.1.25 10.0.1.48 TCP 1850 > ftp [RST, ACK] Seq=240 Ack=866
W


The differences I noticed are, when a transfer is completed (line 1003)
first an ACK is sendet (1020) an then the RST,ACK (1190) cames along.

In the trace of the MFC FTP client ther was no ACK first, instead there
was a FIN,ACK.

Could this help to bring some light on this hidden problem?

Sebastian

 

[Galen]

In sfn <[email protected]> had this to say:

My reply is at the bottom of your sent message:

<sniP

The differences I noticed are, when a transfer is completed (line
1003) first an ACK is sendet (1020) an then the RST,ACK (1190) cames
along.

In the trace of the MFC FTP client ther was no ACK first, instead
there was a FIN,ACK.

Could this help to bring some light on this hidden problem?

Sebastian

Well what happens if you open the firewall, click on the Exceptions tab, add
a program, and set your FTP client to be allowed access?

Galen
--

"But there are always some lunatics about. It would be a dull world
without them."

Sherlock Holmes

 

[sfn]

Well what happens if you open the firewall, click on the Exceptions tab, add

a program, and set your FTP client to be allowed access?

This is what I exactly did. The MFC-FTP client has allowed access.
The traces are with allowed access.
If not, then the firewall alerts me (but only in acitve FTP mode, in
PASV mode not).

Sebastian

 

[Galen]

In sfn <[email protected]> had this to say:

My reply is at the bottom of your sent message:

This is what I exactly did. The MFC-FTP client has allowed access.
The traces are with allowed access.
If not, then the firewall alerts me (but only in acitve FTP mode, in
PASV mode not).

Sebastian

I'm pretty much at a loss here. I'd say look for an updated version of that
client or use an alternative ftp client. If you paid for it contact the
authors to see if they have a fix for it.

Galen
--

"But there are always some lunatics about. It would be a dull world
without them."

Sherlock Holmes