FTPS - Can't Open Data Connection over WAN

0

1

Here is my setup,

  • 1 Windows 2008 R2 Standard Box /w G6 FTP Server installed
  • G6 is configured to use explicit SSL connections only (TCP:990)
  • 1 WatchGaurd Firebox Firewall (between server and internal network)

So, I can connect without issue and list directories on the FTPS server when I connect to the server while I am connected to the LAN (actually, RDP'd into the Win 2k8 box, you get the idea), but when I try to connect remotely to the FTPS site I can't seem to list the home directory of the user that I have configured on the server

13/05/29 20:00:48, 39, 98.208.xx.xx, , new connection from 98.208.xx.xx on 10.1.2.252:990 (Explicit SSL only)
13/05/29 20:00:48, 39, 98.208.xx.xx, , hostname resolved : c-98-208-xx-xx.hsd1.ca.comcast.net
13/05/29 20:00:48, 39, 98.208.xx.xx, , sending welcome message.
13/05/29 20:00:48, 39, 98.208.xx.xx, , 220 Gene6 FTP Server v3.10.0 (Build 2) ready...
13/05/29 20:00:48, 39, 98.208.xx.xx, , AUTH TLS
13/05/29 20:00:48, 39, 98.208.xx.xx, , 234 AUTH command ok; starting SSL connection.
13/05/29 20:00:48, 39, 98.208.xx.xx, , establishing encrypted session
13/05/29 20:00:48, 39, 98.208.xx.xx, , USER username
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 331 Password required for username.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PASS ****
13/05/29 20:00:48, 39, 98.208.xx.xx, username, logged in as "username".
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 230 User username logged in.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, SYST
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 215 UNIX Type: L8
13/05/29 20:00:48, 39, 98.208.xx.xx, username, FEAT
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 211-Extensions supported:
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  AUTH TLS
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  CCC
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  CLNT
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  CPSV
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  EPRT
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  EPSV
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  MDTM
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  MFCT
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  MFMT
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  MLST type*;size*;create;modify*;
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  MODE Z
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  PASV
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  PBSZ
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  PROT
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  REST STREAM
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  SIZE
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  SSCN
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  TVFS
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  UTF8
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  XCRC "filename" SP EP
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  XMD5 "filename" SP EP
13/05/29 20:00:48, 39, 98.208.xx.xx, username,  XSHA1 "filename" SP EP
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 211 End.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, CLNT FileZilla
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 200 Noted.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, OPTS UTF8 ON
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 200 UTF8 OPTS ON
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PBSZ 0
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 200 PBSZ=0
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PROT P
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 200 PROT command successful.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PWD
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 257 "/" is current directory.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, TYPE I
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 200 Type set to I.
13/05/29 20:00:48, 39, 98.208.xx.xx, username, PORT 98,208,65,76,34,82
13/05/29 20:00:48, 39, 98.208.xx.xx, username, 200 Port command successful.
13/05/29 20:00:49, 39, 98.208.xx.xx, username, MLSD
13/05/29 20:01:01, 38, 98.208.xx.xx, username, 425 Cannot open data connection.
13/05/29 20:01:01, 38, 98.208.xx.xx, username, disconnected. (00d00:00:22)
13/05/29 20:01:10, 39, 98.208.xx.xx, username, 425 Cannot open data connection.
13/05/29 20:01:10, 39, 98.208.xx.xx, username, disconnected. (00d00:00:22)

Now, I am well aware that FTP requires both a DATA (TCP/20) and SESSION (TCP/21) port to be opened, but considering I am not using port 21 - how do I determine what data port I am using considering I am using port 990 over SSL (FTPS)?

I have opened port 20, port 21 and port 990 as a test on both the internet facing firewall and the windows server firewall but I still can't get a directory listing when I connect over the internet. I have attempted to connect using both ACTV and PASV methods in Filezilla and still no dice. I remember back in the day that this sort of issue is usually due to active and passive connections, but the details are murky in my mind. And if this was all due to active or passive, why would I be able to get a directory listing when I connect from the LAN side of the network?

The permissions on the folder being shared with this user have full perms granted to everybody just to eliminate that as being the issue behind why I can get a directory listing.

So my question is - What exactly is going on here? Why can I not get a data connection via the WAN but I can via the LAN? Is this somehow due to explicit SSL? Active/Passive issue?

Here is the log output from a successful local FTPS session

13/05/29 20:16:32, 40, 10.1.2.252, , new connection from 10.1.2.252 on 10.1.2.252:990 (Explicit SSL only)
13/05/29 20:16:32, 40, 10.1.2.252, , hostname resolved : IMSSERVER.alpine.local
13/05/29 20:16:32, 40, 10.1.2.252, , sending welcome message.
13/05/29 20:16:32, 40, 10.1.2.252, , 220 Gene6 FTP Server v3.10.0 (Build 2) ready...
13/05/29 20:16:32, 40, 10.1.2.252, , AUTH TLS
13/05/29 20:16:32, 40, 10.1.2.252, , 234 AUTH command ok; starting SSL connection.
13/05/29 20:16:32, 40, 10.1.2.252, , establishing encrypted session
13/05/29 20:16:32, 40, 10.1.2.252, , USER username
13/05/29 20:16:32, 40, 10.1.2.252, username, 331 Password required for username.
13/05/29 20:16:32, 40, 10.1.2.252, username, PASS ****
13/05/29 20:16:32, 40, 10.1.2.252, username, logged in as "username".
13/05/29 20:16:32, 40, 10.1.2.252, username, 230 User username logged in.
13/05/29 20:16:32, 40, 10.1.2.252, username, CLNT FileZilla
13/05/29 20:16:32, 40, 10.1.2.252, username, 200 Noted.
13/05/29 20:16:32, 40, 10.1.2.252, username, OPTS UTF8 ON
13/05/29 20:16:32, 40, 10.1.2.252, username, 200 UTF8 OPTS ON
13/05/29 20:16:32, 40, 10.1.2.252, username, PBSZ 0
13/05/29 20:16:32, 40, 10.1.2.252, username, 200 PBSZ=0
13/05/29 20:16:32, 40, 10.1.2.252, username, PROT P
13/05/29 20:16:32, 40, 10.1.2.252, username, 200 PROT command successful.
13/05/29 20:16:32, 40, 10.1.2.252, username, PWD
13/05/29 20:16:32, 40, 10.1.2.252, username, 257 "/" is current directory.
13/05/29 20:16:32, 40, 10.1.2.252, username, TYPE I
13/05/29 20:16:32, 40, 10.1.2.252, username, 200 Type set to I.
13/05/29 20:16:32, 40, 10.1.2.252, username, PORT 10,1,2,252,220,229
13/05/29 20:16:32, 40, 10.1.2.252, username, 200 Port command successful.
13/05/29 20:16:32, 40, 10.1.2.252, username, MLSD
13/05/29 20:16:32, 40, 10.1.2.252, username, 150 Opening data connection for directory list.
13/05/29 20:16:32, 40, 10.1.2.252, username, establishing encrypted session
13/05/29 20:16:32, 40, 10.1.2.252, username, 226 Transfer ok.

Richie086

Posted 2013-05-30T03:23:04.773

Reputation: 4 299

I probabally should mention that the WatchGaurd Firewall has a TON of options for FTP proxy stuff (like blocking certian FTP commands over the WAN).. By default, I have all of the ftp proxy options set to allow all commands that the fw has available in regard to FTP.. I can post screenshots if needed... not sure if thats the culprit tho. – Richie086 – 2013-05-30T03:27:53.153

You say it works from the LAN, but you seem to say that you tested that by RDPing directly to the 2K8 box that hosts the FTP site, if that's the case, then that's not really a LAN test(?). – Ƭᴇcʜιᴇ007 – 2013-05-30T04:05:26.933

Answers

1

I'm pretty sure you're on the right track with it being an active/passive problem.

You almost always need to use passive when going through a NAT router or firewall.

The trick with Passive FTP and NAT/Firewalls, is that you need to specify a passive port range the FTP server can use, and then forward that port range through the firewall into the FTP server.

Set up the FTP server to use passive connections, and specify a set of about 1000 TCP ports. We use 50000-51000.

Additionally, the FTP server will/should have a place in its passive setup to specify the outside IP address (not sure about G6, but FileZilla offers an IP resolver service for dynamic IPs as well), this will also need to be provided.

You need port 990 open for FTPS, having port 21 still answer helps, as it can be used for Explicit FTP over TLS. Port 20 shouldn't be needed.

Ƭᴇcʜιᴇ007

Posted 2013-05-30T03:23:04.773

Reputation: 103 763

Yet again Techie007, you have saved the day! That was exactly the issue. I set the FTP server to use a range of PASV ports and everything is now working over the WAN. You rock! – Richie086 – 2013-05-30T04:31:07.240

Asked: 2013-05-30T03:23:04.773

Viewed: 1 540 times

Active: 2016-05-31T10:12:57.850