SP2 Windows firewall and FTP dilemma


W

Wilson

Hello,

I use Windows XP Pro with SP2. I have turned on Windows
firewall and don't allow exceptions, and check none of
the services in advanced settings. But I can still use
FTP client in PORT mode to talk with a FTP server
outside. The FTP server outside uses standard ports (21,
20).

I would like to know if Windows firewall has special
handling on FTP. Is it always accept inbound connection
from FTP server port 20? Is there any such information
from Microsoft official web site? I have searched for 2
days but there is no related information about that.

Thank you very much.

Regards,
Wilson
 
Ad

Advertisements

R

Richard G. Harper

The firewall does not block all inbound traffic - it blocks unsolicited
inbound traffic. If it blocked all traffic your Internet Explorer (port 80)
would not work either. Since you are connecting to the FTP server, the
firewall correctly recognizes that the FTP traffic is in response to your
request to connect and allows it.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
W

Wilson

Thanks. I agree that firewall blocks unsolicited inbound
traffic. But if the FTP server uses non-standard ports, my
FTP client does not work in PORT mode when the firewall is
on. If the FTP server uses standard ports, my FTP client
does work in PORT mode when the firewall is on. So, I
wonder if the firewall has special handling on inbound
connection from FTP server port 20.
-----Original Message-----
The firewall does not block all inbound traffic - it blocks unsolicited
inbound traffic. If it blocked all traffic your Internet Explorer (port 80)
would not work either. Since you are connecting to the FTP server, the
firewall correctly recognizes that the FTP traffic is in response to your
request to connect and allows it.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Hello,

I use Windows XP Pro with SP2. I have turned on Windows
firewall and don't allow exceptions, and check none of
the services in advanced settings. But I can still use
FTP client in PORT mode to talk with a FTP server
outside. The FTP server outside uses standard ports (21,
20).

I would like to know if Windows firewall has special
handling on FTP. Is it always accept inbound connection
from FTP server port 20? Is there any such information
from Microsoft official web site? I have searched for 2
days but there is no related information about that.

Thank you very much.

Regards,
Wilson

.
 
M

Matt DuBois [MSFT]

The firewall actually doesn't have any special handling for FTP, but there
is a service called the Application Layer Gateway service whose job is to
make FTP work with the XP firewall. Many 3rd party antivirus solutions use
FTP to get their updates, and many less technical users don't understand
that FTP requires an inbound connection from the server to work (for active
FTP anyway, passive FTP works the other way around).. They see it as being
"just like IE" and expect it to just work.

The Application Layer Gateway service actually is a lot more intelligent
than just handling the inbound connection from the server on port 20. It
actually watches for the port command and opens a hole in the firewall only
for that specific port, only FROM that specific server, and only for the
duration of the FTP connection. It is also responsible for doing all the
appropriate magic to make active FTP from an ICS client work through the ICS
NAT.

Starting with XP Sp2, we've also added the capability to disable the
Application Layer Gateway service if you don't want it running, and still be
able to use the firewall (though if you have ICS clients, they will be
restricted to passive FTP only). Formerly, the Application Layer Gateway
service was a dependency of the firewall's service, so you couldn't seperate
them.

Hope this answers your question!

Regards,
Matt DuBois
--
This posting is provided AS IS with no warranties, and confers no rights.


Wilson said:
Thanks. I agree that firewall blocks unsolicited inbound
traffic. But if the FTP server uses non-standard ports, my
FTP client does not work in PORT mode when the firewall is
on. If the FTP server uses standard ports, my FTP client
does work in PORT mode when the firewall is on. So, I
wonder if the firewall has special handling on inbound
connection from FTP server port 20.
-----Original Message-----
The firewall does not block all inbound traffic - it blocks unsolicited
inbound traffic. If it blocked all traffic your Internet Explorer (port 80)
would not work either. Since you are connecting to the FTP server, the
firewall correctly recognizes that the FTP traffic is in response to your
request to connect and allows it.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Hello,

I use Windows XP Pro with SP2. I have turned on Windows
firewall and don't allow exceptions, and check none of
the services in advanced settings. But I can still use
FTP client in PORT mode to talk with a FTP server
outside. The FTP server outside uses standard ports (21,
20).

I would like to know if Windows firewall has special
handling on FTP. Is it always accept inbound connection
from FTP server port 20? Is there any such information
from Microsoft official web site? I have searched for 2
days but there is no related information about that.

Thank you very much.

Regards,
Wilson

.
 
Ad

Advertisements

W

Wilson

Yes, the information is very helpful indeed.
Thank you very much.
-----Original Message-----
The firewall actually doesn't have any special handling for FTP, but there
is a service called the Application Layer Gateway service whose job is to
make FTP work with the XP firewall. Many 3rd party antivirus solutions use
FTP to get their updates, and many less technical users don't understand
that FTP requires an inbound connection from the server to work (for active
FTP anyway, passive FTP works the other way around).. They see it as being
"just like IE" and expect it to just work.

The Application Layer Gateway service actually is a lot more intelligent
than just handling the inbound connection from the server on port 20. It
actually watches for the port command and opens a hole in the firewall only
for that specific port, only FROM that specific server, and only for the
duration of the FTP connection. It is also responsible for doing all the
appropriate magic to make active FTP from an ICS client work through the ICS
NAT.

Starting with XP Sp2, we've also added the capability to disable the
Application Layer Gateway service if you don't want it running, and still be
able to use the firewall (though if you have ICS clients, they will be
restricted to passive FTP only). Formerly, the Application Layer Gateway
service was a dependency of the firewall's service, so you couldn't seperate
them.

Hope this answers your question!

Regards,
Matt DuBois
--
This posting is provided AS IS with no warranties, and confers no rights.


Thanks. I agree that firewall blocks unsolicited inbound
traffic. But if the FTP server uses non-standard ports, my
FTP client does not work in PORT mode when the firewall is
on. If the FTP server uses standard ports, my FTP client
does work in PORT mode when the firewall is on. So, I
wonder if the firewall has special handling on inbound
connection from FTP server port 20.
-----Original Message-----
The firewall does not block all inbound traffic - it blocks unsolicited
inbound traffic. If it blocked all traffic your
Internet
Explorer (port 80)
would not work either. Since you are connecting to the FTP server, the
firewall correctly recognizes that the FTP traffic is in response to your
request to connect and allows it.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Hello,

I use Windows XP Pro with SP2. I have turned on Windows
firewall and don't allow exceptions, and check none of
the services in advanced settings. But I can still use
FTP client in PORT mode to talk with a FTP server
outside. The FTP server outside uses standard ports (21,
20).

I would like to know if Windows firewall has special
handling on FTP. Is it always accept inbound connection
from FTP server port 20? Is there any such information
from Microsoft official web site? I have searched for 2
days but there is no related information about that.

Thank you very much.

Regards,
Wilson


.

.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top