Vista firewall - Active FTP


S

swnshp

I am confused about why the firewall in Vista is allowing active FTP
on my computer.

The Application Layer Gateway service is stopped.
My FTP client (FileZilla) is set to use Active FTP mode.
There is a rule setup to block unsolicited inbound TCP and UDP traffic
for FileZilla in the firewall.

When I do a directory listing, and a PORT command is issued, and the
server attempts to connect, it works, but at the same time a dialogue
appears telling me it's blocked, and I can keep blocking or unblock.
I choose keep blocking but it doesn't actually block it once.

I would like to find what is enabling the incoming connections, the
logs are giving nothing away.
 
Ad

Advertisements

A

Alun Jones

I am confused about why the firewall in Vista is allowing active FTP
on my computer.

The Application Layer Gateway service is stopped.
My FTP client (FileZilla) is set to use Active FTP mode.
There is a rule setup to block unsolicited inbound TCP and UDP traffic
for FileZilla in the firewall.

When I do a directory listing, and a PORT command is issued, and the
server attempts to connect, it works, but at the same time a dialogue
appears telling me it's blocked, and I can keep blocking or unblock.
I choose keep blocking but it doesn't actually block it once.

I would like to find what is enabling the incoming connections, the
logs are giving nothing away.

Me too - my one good theory, that the Application Layer Gateway was opening
the firewall hole (because if you send a PORT command, the connection back
is not really an "unsolicited inbound TCP" packet?) got blown away when I
realised that the ALG service isn't actually running.

This may be one of those "special" behaviours that FTP has, like on a home
firewall/router that knows that FTP traffic goes on port 21, and therefore
opens ports and translates IP addresses, so that the FTP traffic "just plain
works".

Sadly, although FTP is very much my thing, I don't actually know why it lets
this traffic through even after you've told it to get blocked.

[The first time, you could note that you didn't hit "Keep Blocked" until
after the transfer had already started - but even if that was a valid
argument, subsequent transfers also go through. My firewall settings include
a "File Transfer Program" rule, but that points to
%windir%\system32\ftp.exe, and you're using FileZilla.]

I'd love to see a good explanation on this from Microsoft, too.

Alun.
~~~~
 
S

swnshp

This may be one of those "special" behaviours that FTP has, like on a home
firewall/router that knows that FTP traffic goes on port 21, and therefore
opens ports and translates IP addresses, so that the FTP traffic "just plain
works".

Yes most home routers running linux have the FTP helper module which
looks at
the PORT commands and sets the appropriate NAT rules up and opens it
up.
My assumption was this is what the ALG does, and so it shouldn't when
stopped,
but yes, perhaps something else is doing this too.
I'd love to see a good explanation on this from Microsoft, too.

Me too, I might want to block this activity.
 
Ad

Advertisements

A

Alun Jones

Yes most home routers running linux have the FTP helper module which
looks at
the PORT commands and sets the appropriate NAT rules up and opens it
up.
My assumption was this is what the ALG does, and so it shouldn't when
stopped,
but yes, perhaps something else is doing this too.

Okay, it's almost completely undocumented, but here's what I think is going
on:

It _is_ something inside of the Windows Vista Firewall, called the
"connection inspection engine". As far as I can make out, there are two
connection inspection engines - one is for FTP, the other is for the PPTP
VPN protocol. It does exactly what you'd need to support FTP - no word as to
whether this is extended to ports other than 21 (or how, if it is), so I'd
assume that, like everyone else's FTP firewall modules, this only works on
port 21.
Me too, I might want to block this activity.

So, here's how you block it.

Open up the registry, and go down to key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
There's a value in there called "DisableStatefulFTP", set to 0.

If you want to disable the operation on the FTP channel, simply set
DisableStatefulFTP to 1. Not sure if you have to restart the firewall or
not.

[There's a DisableStatefulPPTP if you want to appear to allow PPTP, but
render it completely unusable, too.]

I can imagine this is almost undocumented because you either want to kill
FTP / PPTP completely (in which case, you just prevent their initial control
ports), or you want to allow them completely - you don't want to cripple
them so they almost nearly work.

But then, this raises another curious question ... if the firewall is doing
the stateful traffic inspection, and opening ports, what does the ALG
service do?

Alun.
~~~~
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top