Re: gFTP problems?

[Gavin Hamill <gdh@acentral.co.uk>]

On Saturday 05 July 2003 11:52 pm, Martin WHEELER wrote:
> Solutions suggested so far have been to turn off, or make completely
> transparent, any firewall between you and them (!!!); or to turn off
> passive ftp mode.  (makes no difference, incidentally)

It sounds like they are now denying all incoming connections on non standard 
ports -> i.e. they will accept 21 for FTP and 80 for WWW, but not much else.

I can understand why they've done this, since it closes a lot of possibilities 
for remote shells / backdoor exploits.

In passive mode, their server must allow incoming connections on some 
arbritrary TCP ports, but in non-passive (active) mode, it is /your/ computer 
that must allow the incoming connections.

The fact that some people using CuteFTP got it to work is pretty irrelevant - 
they're probably using ADSL modems directly connected to their Windows PC, 
and so have a direct non-firewalled connection capable of receiving TCP 
connections on strange ports.

I'm guessing you're either actually firewalled, or are simply doing IP MASQ 
which will have much the same effect..

You might want to look into the FTP connection-tracking module, since I 
believe this will deal properly with active FTP by actually watching the FTP 
connection data pass through, and will do some magic when it sees the PORT 
command (not PASV !) being issued...

Cheers,
Gavin.