NBAR discovery passive ftp

Similar Messages

• Passive FTP Port Range -- Server 10.3.x Panther

  I know that the port range for Passive FTP is >1024, but I want to define that to a smaller group of unused ports so that I can specify that those ports are open in the Firewall.
  Can, how, and where do I define this port range??

  I just opened from 13658-65534 and this seems to be fine (although not been running very long). I took the view that opening a stack of ports was not really any worse than just opening a quarter as much. Arguably, it's no worse than just opening one.
  However, we only use it from time to time and FTP services is off unless specifically required. If I was going to run it for serious use I think I would put it on a dedicated server and put it in a DMZ.
  Reading up on FTP security is on my To-Do list...
  -david
  [EDIT] The server is also well locked down for SSH.

• Help Toggling Passive FTP

  I have a problem with my FTP server, or something. I have
  created a site, set it up, where the files need to go etc., but
  when I test my connection it times out and says to try toggling the
  passive FTP mode. Where do I find this? I have looked everywhere
  (or so I think).. any help is useful at this point.
  Thanks
  T.Sanchez

  Site Definition > Advanced Tab > Remote Site
  Likely that's not the problem, but give it a try....
  Murray --- ICQ 71997575
  Adobe Community Expert
  (If you *MUST* email me, don't LAUGH when you do so!)
  ==================
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  ==================
  "TSanchez012" <[email protected]> wrote in
  message
  news:fvfql1$r3l$[email protected]..
  >I have a problem with my FTP server, or something. I have
  created a site,
  >set
  > it up, where the files need to go etc., but when I test
  my connection it
  > times
  > out and says to try toggling the passive FTP mode. Where
  do I find this? I
  > have
  > looked everywhere (or so I think).. any help is useful
  at this point.
  >
  > Thanks
  > T.Sanchez
  >

• CSS and Extended Passive FTP problem.

  Hi everyone.
  I'm having a problem setting up a load balanced cluster of FTP servers behind a CSS 11506.
  I can FTP into the cluster fine. I am redirected to one of the machines in a round robin fashion and can log in. The problem arises on mac's where typing in an ls command returns this:
  ftp> ls
  229 Entering Extended Passive Mode (|||32999|)
  200 EPRT command successful
  421 Service not available, remote server timed out. Connection closed
  Now, if I type in the EPSV command and disable Extended Passive Mode prior to connecting to it, it works fine.
  Also, connecting to any of the servers directly with epsv enabled works fine as well.
  We have over 800k hits per month and telling everyone to disable epsv will be a problem. Is there a way to enable extended passive mode through the css?
  Here is my config:
  Group: ftpServers1 - Active (198.202.122.181 Not Redundant)
  Session Redundancy: Disabled
  Last Clearing of Stats Counters: 03/20/2007 14:28:25
  Associated ACLs: NONE
  Source Services:
  DNS
  Name: Hits: State: Load: Trans: Keepalive: Conn:
  rem_ftp1 19857 Alive 44 6 FTP 0
  rem_ftp2 38175 Alive 87 0 FTP 0
  Destination Services:
  NONE
  Group Service Total Counters:
  Hits/Frames/Bytes: 58032/58339/4277264
  Connections Total/Current: 25/0
  FTP Control Total/Current: 0/0
  CSS11506# show rule pdb ftp-rule1
  Name: ftp-rule1 Owner: pdb
  State: Active Type: FTP
  Balance: Round Robin Failover: N/A
  Persistence: Enabled Param-Bypass: Disabled
  Session Redundancy: Disabled
  IP Redundancy: Not Redundant
  L3: 198.202.122.181
  L4: TCP/21
  Url:
  Redirect: ""
  TCP RST client if service unreachable: Disabled
  Rule Services & Weights:
  1: rem_ftp1-Alive, S-1
  2: rem_ftp2-Alive, S-1
  Thanks
  Boki

  EPSV is not supported.
  The only workaround available to load balance passive ftp servers is to use "PASV" command instead of "EPSV" on clients.
  Syed Iftekhar Ahmed

• ACE access-list and Passive FTP

  Can servers sitting behind the ACE successfully ftp files if the following rules are in place?
  access-list word line x extended permit tcp source destination eq 21
  access-list word line y extended permit tcp source destination eq 20
  With those lines I can establish an FTP session, but unable to transfer files.
  With the following statement access-list word line x extended permit ip source destination, passive ftp works?
  IS this because the ACE acl does not allow for stateful inspection of an FTP session?
  Thank you

  You are right lack of fixup/inspect is the reason for FTP connections to fail.
  You need something in line with the following config
  class-map match-all FTP-Traffic
  2 match port tcp eq ftp
  policy-map multi-match xyz
  class FTP-Traffic
  inspect ftp
  Syed Iftekhar Ahmed

• Passive FTP and the Leopard firewall

  Hi,
  We have an staff upload server that uses the built-in Leopard firewall. It is fed by two proprietary applications, one of which uses passive ftp only. We are getting a small number of incidents where the passive upload is unsuccessful. Initial contact is made (visible in the logs and as a connection in the server admin gui) but the upload doesn't proceed. A user might try uploading several times without success. On other occasions, the same user from the same computer has no problems at all.
  We have the ftp service enabled on port 20-21 and the FTP service PASV port range enabled 49152-65535.
  If I add the uploading computers' ip number to an access group with no port restrictions on the firewall, the uploads are always successful.
  With my very limited knowledge of ftp and firewalls, this suggest that the negotiated port for the data transfer is outside the default port range used by Apple. Is this likely? Are there any implications in changing the range?
  Or am I totally confused and should I be looking elsewhere?
  Thanks,
  Ross Glover

  By default, the FTP server doesn't restrict itself to any particular passive port range. To make it match what the firewall claims it should be, edit the file /Library/FTPServer/Configuration/ftpaccess and add the line:
  passive ports 0.0.0.0/0 49152 65535
  ...then restart the FTP service and retest.

• AIR installer Passive FTP?

  Our AIR app uses the AIR badge installer to update our client's desktop app. However, we've noticed a lot of our users get these half-baked installer files (literally, the installer file they get is half the size of what it should be). The cloud server hosting the installer is fine, the file itself is fine, but people aren't getting the whole file.
  Is there a setting on AIR's installer to use passive FTP? Or some way to guarantee the user actually gets the entire file? Is this a known issue with the installer badge?
  Thanks!

  Hi,
  There is a bunch of ftp libraries that support passive transfer.. Use google, or look at the following link:
  http://freshmeat.net/projects/javaftp/
  /Kaj

• About passive ftp mode?

  In proxies passive ftp mode is checked and in the box this domain*.local, 169.254/16 is always visible.  My internet is dongle wifi - Wimax.  Can I uncheck this box without it affecting my wifi connection. 
  Something very strange is happening when I connect via wi fi to my wimax.  My airport menu show I am connected to uroad458930 which is my correct network address but there is also another network showing uroad458931.  This address is only visible when I connect to my Wimax.  Both addresses disappear from the menu when I switch off the wimax dongle and both appear when I switch it on.

  Thank you for your answer.
  Yes, according to those slides it looks like PASV mode is tried first...
  But why do I get the following exception?
  sun.net.ftp.FtpProtocolException: PORT :500 Illegal PORT command, EPSV ALL in effect
  at sun.net.ftp.FtpClient.openDataConnection(FtpClient.java:381)
       at sun.net.ftp.FtpClient.get(FtpClient.java:485)
       at sun.net.www.protocol.ftp.FtpURLConnection.getInputStream(FtpURLConnection.java:284)
       at imageviewer.threads.DicomDirLoaderThread.run(DicomDirLoaderThread.java:124)
       at java.lang.Thread.run(Thread.java:534)
  If I write the FTP URL that I use in my Java code in my browser's address bar, the file is regularly downloaded.
  Any help / suggestion would be greatly appreciated.
  Thank you,
  Marco.

• Passive FTP in PIX 6.3(5)106

  Dear All,
  How can I allow passive ftp communication in PIX 6.3(5)106.
  Thank You,
  Abhisar.

  Is this for outbound or inbound FTP?
  For outbound FTP:
  1) Configure:
  fixup protocol ftp 21
  2) Then if you have any access-list on the inside interface, allow tcp/21
  For inbound FTP:
  1) Configure:
  fixup protocol ftp 21
  2) Configure static NAT statement for the FTP server
  3) Configure access-list on the outside interface to allow TCP/21 on the NATed IP.

• Active and Passive FTP

  Hi
  I want to setup an Passive FTP and an Active proxy service in Oracle Service Bus 10.3. What is the best way of doing this?
  Regards

  see support note 860423.1
  Oracle Service Bus FTP transport is implemented to use passive mode in proxy services (inbound) and active mode in business services (outbound).
  This behavior can be changed and OSB can be forced to use passive mode for both inbound and outbound FTP requests by applying a patch.

• Passive FTP?

  I'm sure the root cause is probably outside of Dreamweaver
  but out of the
  blue Dreamweaver has lost the ability to connect to any of my
  previously set
  up sites unless I change the FTP mode to passive.
  I know Saratoga Sam asked this question just over a week ago
  but as he did
  not get any solution and as I've just started experiencing
  the same thing I
  thought I'd ask if anyone else has suddenly started being
  told to use
  Passive FTP by Dreamweaver.
  Any input greatly appreciated.
  Thanks
  Phill
  P Hellewell
  P&M Software
  Maintenance Management Software
  http://www.pmsoftware.co.uk

  You'll find many posts here over the years resulting from
  problems with NIS.
  Frankly, I would never let anything Norton touch my
  hardware.... 8)
  Murray --- ICQ 71997575
  Adobe Community Expert
  (If you *MUST* email me, don't LAUGH when you do so!)
  ==================
  http://www.dreamweavermx-templates.com
  - Template Triage!
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  http://www.macromedia.com/support/search/
  - Macromedia (MM) Technotes
  ==================
  "Phill Hellewell (pmsoftware)" <[email protected]>
  wrote in message
  news:eub24b$lh$[email protected]..
  > "Murray *ACE*" <[email protected]>
  wrote in message
  >
  >> Such problems are almost always due to a change in
  the properties of your
  >> local firewall. What firewall are you running and
  what has changed?
  >>
  >
  > Norton Internet Security.
  >
  > I haven't changed anything, Norton Internet Security
  might have changed
  > something its self during an update. I'll have to have a
  look. I suppose I
  > was hoping someone might have encountered the same
  problem a la FTP
  > passwords and IE7 (resolved with update 8.02).
  >
  > Ho hum! I'll go and have a poke around and see what I
  can find.
  >
  > Thanks
  >
  > Phill
  >
  >
  >
  > P Hellewell
  > P&M Software
  > Maintenance Management Software
  >
  http://www.pmsoftware.co.uk
  >

• Passive ftp ports allowed thru firwall

  I need to allow a connection thru my firewall for passive ftp connection.
  I figure to create a service defining the ports. What ports should I include in that service?

  You should enable FTP inspection and allow tcp/21, then everything should be detected on the fly
  Michael
  Please rate all helpful posts

• Let's Revisit MacOS Server's Passive FTP Problem

  Mac OS X Server's built-in FTP server can't be configured to determine which ports above 1024 will be used for Passive FTP connections. More often than not, this means that clients behind NAT routers (for a variety of complicated reasons) can't discover which of the "high ports" are being used in their passive connection. Furthermore the Mac OS X administrator would have to open every port above 1024 to anticipate connections, severly weakening the security of the system.
  The effect for the user is that their FTP client can connect, but can't list the contents of a directory or upload/download anything.
  Here's a primer on the difference between Active and Passive FTP:
  http://slacksite.com/other/ftp.html
  Apple introduced a "solution" to the problem by making this addition to the Network Services manual sometime around 10.3 server:
  "See if the client is using FTP passive mode, and turn it off. Passive mode causes the FTP server to open a connection on a dynamically determined port to the client, which could conflict with port filters set up in IP filter service. "
  This was a tacit admission that MacOS's various FTP daemons over the years have unchangeable, precompiled configurations. The typical workaround was choppy, but workable: replace Apple's built-in FTP daemon with a fully configurable one like ProFTPd or PureFTPd, configure a narrow range of ports for your own security, and configure your firewall to match.
  We're on Tiger server now and that's still in the Network Services manual. Leopard or whatever is looming. Will Apple ship an FTP server that works out-of-the-box with its own firewall this time? Any new thoughts or solutions?

  I think you need to do a little more research on FTP. Most of the actual problems you describe are inherent in FTP and nothing to do with any kind of Apple-inhibited FTP server.
  For example, you say:
  > Mac OS X Server's built-in FTP server can't be configured to determine which ports above 1024 will be used for Passive FTP connections
  Not true. You can choose whatever port range you like using the portrange directive in /etc/ftpd.conf
  By default this directive isn't set so the entire port range is used. Feel free to change that.
  >The effect for the user is that their FTP client can connect, but can't list the contents of a directory or upload/download anything.
  This is an inherent flaw in FTP, suffered by every FTP server on the market. Nothing to do with Apple.
  > This was a tacit admission that MacOS's various FTP daemons over the years have unchangeable, precompiled configurations
  Again, incorrect. The suggestion was a workaround for the FTP protocol restriction, not for Apple's implementation. I've been dealing with the exact same issues for years on various Sun servers I've run.
  Most of the problems you describe regarding FTP and firewalls won't be solved at all in any future OS update - from any vendor. FTP was never designed with firewalls and security in mind. The only solution is to fix the underlying protocol, or use something different altogether.

• Active vs. Passive FTP?

  Can someone explain in lay terms the difference?

  bobtem wrote:
  > Can someone explain in lay terms the difference?
  Try this:
  http://slacksite.com/other/ftp.html
  In my experience, if you have a router or firewall on your
  computer or
  network, then you should select passive.
  If your ftp server is on the same physical network as your
  client, then
  use passive. This is because there are no firewalls blocking
  access to
  the random ports that the ftp server will open for the
  client.
  Dooza

• NAT: Passive FTP with non standard port

  Hi all,
  I have an ASA 5515 and four FTP server. Currently I have everything configured properly for three of the server that I need. For the fourth I have two possibilities:
  1) use the IP configured for the external interface.
  2) use one of the ip used for other FTP but uses another port.
  Is possible option 1? I did not succeed.
  I was then trying to use this configuration:
  <public ip>: 2121 -> <internal ip> 21
  <public ip>: 2120 -> <internal ip> 20
  The problem is that I can just log in but not access to the folders.
  I changed the service policy as well but still not working:
  class-map inspection_default
  match default-inspection-traffic
  class-map FTP-2121
  match port tcp range 2120 2121
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect esmtp
    inspect h323 h225
    inspect h323 ras
    inspect http
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip 
    inspect skinny 
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
  class FTP-2121
    inspect ftp
  Here is the output of sh service-policy:
  Global policy:
    Service-policy: global_policy
      Class-map: inspection_default
        Inspect: ftp, packet 186535, lock fail 0, drop 188, reset-drop 0
        Inspect: esmtp _default_esmtp_map, packet 6539637, lock fail 0, drop 0, reset-drop 0
        Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0
                 tcp-proxy: bytes in buffer 0, bytes dropped 0
        Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0
        Inspect: http, packet 1581437285, lock fail 0, drop 0, reset-drop 0
        Inspect: netbios, packet 105420, lock fail 0, drop 0, reset-drop 0
        Inspect: pptp, packet 0, lock fail 0, drop 0, reset-drop 0
        Inspect: rsh, packet 7, lock fail 0, drop 0, reset-drop 0
        Inspect: rtsp, packet 3857828, lock fail 0, drop 0, reset-drop 0
                 tcp-proxy: bytes in buffer 0, bytes dropped 0
        Inspect: sip , packet 3, lock fail 0, drop 0, reset-drop 0
                 tcp-proxy: bytes in buffer 0, bytes dropped 0
        Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0
                 tcp-proxy: bytes in buffer 0, bytes dropped 0
        Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0
        Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0
                 tcp-proxy: bytes in buffer 0, bytes dropped 0
        Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0
        Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0
      Class-map: FTP-2121
        Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0

  Hi bro
  If you were you, to achieve this requirement, I wouldn't use MPF. To much work, for a simple requirement. What I would do is as shown below;
  static (inside,outside) tcp 202.188.1.14 2120 10.10.10.14 20 netmask 255.255.255.255
  static (inside,outside) tcp 202.188.1.14 2121 10.10.10.14 21 netmask 255.255.255.255
  access-list acl_outside permit tcp any host 202.188.1.14 range 20 21
  access-group acl_outside in interface outside
  Note: Please remove all the MPF commands that you've inserted, back to default.