FTP PORT Command problem stumped me

FTP PORT Command problem stumped me: Posted by Atreju on December 14th, 2006; Hello,

I've got a server running Serv-U FTP. I have a Sonicwall firewall.

I have been getting some hammer attempts, so I decided to block the
default FTP ports and use a custom port.

I setup a service in my firewall and it is being forwarded as would be
port 21. The NAT is not a problem, it is getting through successfully
to the internal server. However: I'm getting this error:

"only client ip address allowed for port command"

When trying to connect from outside.

I assume this has something to do with my firewall, because from
inside it's not a problem.

I need a solution - firstly, do I use "passive" transfers, for the
life of me I've never been able to see a consistent behavior with
either yes or no. If I am to use passive transfers, Serv-U has a
checkbox "allow passive transfer mode, use the following IP" and
there's a box for an IP. The client is connecting to my server using a
dynamic DNS name, and my system COULD in theory get a new IP address,
so I don't know how I would use an IP address in this field... and I
don't know what I would use anyway - my WAN IP, local IP what?

Basically, I just need this to work.
Any suggestions please are very welcome, thanks.

---Atreju---; Posted by why? on December 14th, 2006; On Thu, 14 Dec 2006 17:38:15 -0500, Atreju wrote:

Server should be a static address on your LAN.

Block ports and custom port, should that be custom ports?

Don't forget it's port 21 commands and maybe port 20 for data.

www.google.com for the above?

Only client IP address allowed for PORT command
Only client IP address allowed for PORT command SmartFTP :: Support ::
Knowledge Base.
http://www.smartftp.com/support/kb/o...-port-f22.html -
11k - Cached - Similar pages

SmartFTP Knowledge Base Export
Only client IP address allowed for PORT command, #22. The server is
blocking foreign IP addresses in a FXP attempt. If SmartFTP cannot
resolve the problem ...
www.smartftp.com/support/kb/export.php - 227k - Cached - Similar pages
[ More results from www.smartftp.com ]

For a FW, PASV. IIRC the FTP external client creates the 2 connections
rather than the FW having to filter.

You may have to allow port 21 for the initial command connection, then
the client requests PASV and the client / server does the open 2 ports
over 1023.

Again www.google.com there are a lot of articles about it.

Sign up for the DynDNS fixed address, if your IP doesn't change often..

Try http://www.portforward.com/routers.htm even if there isn't an entry
for your FW/Router the basics are the same.

The port forwarding is the WAN IP (DynDNS entry) to the static IP of the
server.

Try harder :-)

Not forgetting www.google.com

Port Forwarding on the Sonicwall TZ-150 Wireless Router
Port forwarding setup for Sonicwall TZ-150 Wireless Internet router.
Step 2: In the menu on the left side of the page, look for the Firewall
menu and then ...
http://www.no-ip.com/support/guides/...sonicwall.html - 15k - Cached -
Similar pages

SonicWALL Firewall Router Setup. Firewall SonicWALL technical ...
SonicWALL Hardware Firewall Setup. Managed SonicWALL Firewall Services
by Farpost.NET.
www.farpost.com/sonicwall_firewall_setup.php - 12k - Cached - Similar
pages

Sonicwall SOHO Internet Security Appliance - PracticallyNetworked.com
You won't find this feature in the SOHO, since SonicWall's focus is ...
Port Range Forwarding: You can set access rules on up to 128 single TCP,
UDP, ...
www.practicallynetworked.com/review.asp?pid=337 - 122k - Cached -
Similar pages

Firewalls: Sonicwall "Enhanced" port forwarding...
I hope I'm just being stupid. I have a sonicwall 4060, and it has the
Sonicwall Enhanced firmware on it. I have forwarded ports successfully
on early models ...
http://www.experts-exchange.com/Secu..._21709204.html - 60k -
Cached - Similar pages

Me; Posted by Atreju on December 14th, 2006; On Thu, 14 Dec 2006 22:58:52 GMT, why?
<fgrirp*sgc@VAINY!Qznq.fpvragvfg.pbz> wrote:

It is, of course

I may have resolved the problem - it seems there's an inherent problem
in having NAT on both sides, where one won't translate the ephemeral
ports for passive mode. What I did was create a NAT policy so the
server is really listening on the default ports 21 and 20 (so there's
nothing to have to translate on the way out - the NAT traversal
happens for FTP by default apparently) and the client has to access it
by using the custom port. It seems to be working (well, only for one
piece of software but I probably just need to reconfigure something in
the other).

Plenty of articles/posts/etc. but no actual solution except I just
read an article which indicates there is really no easy solution. What
I did seems to be the best way around the problem.
SNIP

Thanks for responing.

---Atreju---

Similar Posts

Active FTP PORT command - port number (UNIX / Variants) by allab@sympatico.ca
Sync Problem that has even Microsoft stumped (Mobile Devices) by Francois
Re: Completely stumped on Win 98 video problem (Computers & Technology) by BuffNET Tech Support - MichaelJ
Re: FTP PORT Command (Programming) by Spoofed Existence
Re: FTP PORT Command (Programming) by Alan Connor