|
Home > Archive > IIS FTP Server > September 2006 > IIS PASV FTP stalls behind Windows Firewall
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS PASV FTP stalls behind Windows Firewall
|
|
| Tony Nelson 2006-08-27, 1:21 am |
| I am using the FTP service on an up-to-date WinXP SP2 with Windows
Firewall. When I connect to it from Fetch 3.0.3 in PASV mode over my
LAN the data connection stalls part way through the directory listing.
I can get it to work by disabling the Windows Firewall, or by using PORT
and disabling the Mac's firewall. I have added a Program Exception for
inetinfo.exe, but that had no affect on the problem. Restarting the FTP
service has no affect either.
Is there some other thing I need to do?
Is this a bug, and if so where should I report it?
________________________________________
________________________________
TonyN.:' *firstname*nlsnews@georgea*lastname*.com
' <http://www.georgeanelson.com/>
| |
|
| Some reading for you
http://slacksite.com/other/ftp.html
http://support.microsoft.com/?id=555022
http://support.microsoft.com/?kbid=323446
http://support.microsoft.com/kb/817829
http://support.microsoft.com/?kbid=810639
Do a search for "Passive Mode FTP" at Microsoft, Yahoo, and/or Google.
"Tony Nelson" <*firstname*nlsnews@georgea*lastname*.com> wrote in message
news:*firstname*nlsnews-0C308A.20123026082006@msnews.microsoft.com...
>I am using the FTP service on an up-to-date WinXP SP2 with Windows
> Firewall. When I connect to it from Fetch 3.0.3 in PASV mode over my
> LAN the data connection stalls part way through the directory listing.
> I can get it to work by disabling the Windows Firewall, or by using PORT
> and disabling the Mac's firewall. I have added a Program Exception for
> inetinfo.exe, but that had no affect on the problem. Restarting the FTP
> service has no affect either.
>
> Is there some other thing I need to do?
>
> Is this a bug, and if so where should I report it?
> ________________________________________
________________________________
> TonyN.:' *firstname*nlsnews@georgea*lastname*.com
> ' <http://www.georgeanelson.com/>
| |
| Tony Nelson 2006-08-27, 1:21 am |
| Probably you are confused about my post. If you have a question about
it, please ask. I already know what PASV mode is, so your reading list
is not pertinent. I just want to find out how to get the IIS FTP server
to work with the Windows Firewall, when I have already set a Program
exception for inetinfo.exe.
If anyone understands my issue, please chime in.
In article <eGajhQXyGHA.2572@TK2MSFTNGP06.phx.gbl>,
"Allen" <NOYB@NOYB.org> wrote:
[vbcol=seagreen]
> Some reading for you
>
> http://slacksite.com/other/ftp.html
>
> http://support.microsoft.com/?id=555022
>
> http://support.microsoft.com/?kbid=323446
>
> http://support.microsoft.com/kb/817829
>
> http://support.microsoft.com/?kbid=810639
>
> Do a search for "Passive Mode FTP" at Microsoft, Yahoo, and/or Google.
>
>
> "Tony Nelson" <*firstname*nlsnews@georgea*lastname*.com> wrote in message
> news:*firstname*nlsnews-0C308A.20123026082006@msnews.microsoft.com...
________________________________________
________________________________
TonyN.:' *firstname*nlsnews@georgea*lastname*.com
' <http://www.georgeanelson.com/>
| |
|
| You asked: "Is there some other thing I need to do?"
Yes there is, fully understand how passive mode FTP works for both your FTP
Server and the FTP Client used to access it. So you can configure your
systems and firewalls correctly. The reading list can help immensely,
unless you are too lazy to read and study and just want everything spoon
feed to you.
"Tony Nelson" <*firstname*nlsnews@georgea*lastname*.com> wrote in message
news:*firstname*nlsnews-CF275C.21112426082006@msnews.microsoft.com...
> Probably you are confused about my post. If you have a question about
> it, please ask. I already know what PASV mode is, so your reading list
> is not pertinent. I just want to find out how to get the IIS FTP server
> to work with the Windows Firewall, when I have already set a Program
> exception for inetinfo.exe.
>
> If anyone understands my issue, please chime in.
>
>
> In article <eGajhQXyGHA.2572@TK2MSFTNGP06.phx.gbl>,
> "Allen" <NOYB@NOYB.org> wrote:
>
> ________________________________________
________________________________
> TonyN.:' *firstname*nlsnews@georgea*lastname*.com
> ' <http://www.georgeanelson.com/>
| |
| Tony Nelson 2006-08-27, 1:21 am |
| Allen, I will respond in detail. Anyone else, please read my original
post and respond to it.
As my post showed, I already know what PASV FTP is. This article is not
pertinent.
[vbcol=seagreen]
I stated that I'm using WinXP. This article is for Windows Server 2000
and 2003, and is not pertinent for WinXP. It discusses limiting the
offered port range. This is also not pertinent. The problem I'm having
is with the Windows Firewall, which this article does not mention. This
article is not pertinent.
[vbcol=seagreen]
This article is about Internet Explorer, on Windows Server 2003. I am
not connecting with Internet Explorer. I as connecting with Fetch 3.0.3
from a Mac. This article is not pertinent.
[vbcol=seagreen]
This article is about Internal SecureNAT and Internet Security and
Acceleration Server (ISA) Firewall on a client. I am using a Mac. This
article is not pertinent.
[vbcol=seagreen]
This article applies to Windows 2000 Advanced Server. I am using
Windows XP. This article is not pertinent.
None of the articles you posted are pertinent to my configuration.
Before responding again, pick only articles that apply to Windows XP
SP2, IIS FTP server, Windows Firewall, and PASV mode. As I stated in my
original post below, the IIS FTP server works in PASV mode if the
Windows Firewall is disabled. IIS FTP server should work with the
Windows Firewall enabled. I hope that someone who understands this
issue responds with how to do it.
In article <O6AjbkXyGHA.3656@TK2MSFTNGP04.phx.gbl>,
"Allen" <NOYB@NOYB.org> wrote:
[vbcol=seagreen]
> You asked: "Is there some other thing I need to do?"
>
> Yes there is, fully understand how passive mode FTP works for both your FTP
> Server and the FTP Client used to access it. So you can configure your
> systems and firewalls correctly. The reading list can help immensely,
> unless you are too lazy to read and study and just want everything spoon
> feed to you.
>
>
> "Tony Nelson" <*firstname*nlsnews@georgea*lastname*.com> wrote in message
> news:*firstname*nlsnews-CF275C.21112426082006@msnews.microsoft.com...
>
>
________________________________________
________________________________
TonyN.:' *firstname*nlsnews@georgea*lastname*.com
' <http://www.georgeanelson.com/>
| |
|
| All of those articles talk about how passive mode FTP control and data
channels are set up and what ports need to be accessible and in which
directions etc. - firewall
All are pertinent.
"Tony Nelson" <*firstname*nlsnews@georgea*lastname*.com> wrote in message
news:*firstname*nlsnews-23E279.22162026082006@msnews.microsoft.com...
> Allen, I will respond in detail. Anyone else, please read my original
> post and respond to it.
>
>
> As my post showed, I already know what PASV FTP is. This article is not
> pertinent.
>
>
> I stated that I'm using WinXP. This article is for Windows Server 2000
> and 2003, and is not pertinent for WinXP. It discusses limiting the
> offered port range. This is also not pertinent. The problem I'm having
> is with the Windows Firewall, which this article does not mention. This
> article is not pertinent.
>
>
> This article is about Internet Explorer, on Windows Server 2003. I am
> not connecting with Internet Explorer. I as connecting with Fetch 3.0.3
> from a Mac. This article is not pertinent.
>
>
> This article is about Internal SecureNAT and Internet Security and
> Acceleration Server (ISA) Firewall on a client. I am using a Mac. This
> article is not pertinent.
>
>
> This article applies to Windows 2000 Advanced Server. I am using
> Windows XP. This article is not pertinent.
>
> None of the articles you posted are pertinent to my configuration.
> Before responding again, pick only articles that apply to Windows XP
> SP2, IIS FTP server, Windows Firewall, and PASV mode. As I stated in my
> original post below, the IIS FTP server works in PASV mode if the
> Windows Firewall is disabled. IIS FTP server should work with the
> Windows Firewall enabled. I hope that someone who understands this
> issue responds with how to do it.
>
>
> In article <O6AjbkXyGHA.3656@TK2MSFTNGP04.phx.gbl>,
> "Allen" <NOYB@NOYB.org> wrote:
>
> ________________________________________
________________________________
> TonyN.:' *firstname*nlsnews@georgea*lastname*.com
> ' <http://www.georgeanelson.com/>
| |
| Bernard Cheah [MVP] 2006-08-28, 7:30 am |
| Arrgghh so you got 2 firewall in place.......
does it work with just Windows firewall on with the inetinfo.exe exception?
As for the passive port range, I don't think it applies to win xp. I think I
have tested that in the past.
I have seen other users claiming that setting up the exception works, but I
have also seen other claimed that it is not working for them.
For my own test in the past. it works with exception turned on.
whether is a bug or not - no idea. you can try microsoft PSS and engage
their support.
note: you might need to pay $$ upfront.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
"Tony Nelson" <*firstname*nlsnews@georgea*lastname*.com> wrote in message
news:*firstname*nlsnews-0C308A.20123026082006@msnews.microsoft.com...
>I am using the FTP service on an up-to-date WinXP SP2 with Windows
> Firewall. When I connect to it from Fetch 3.0.3 in PASV mode over my
> LAN the data connection stalls part way through the directory listing.
> I can get it to work by disabling the Windows Firewall, or by using PORT
> and disabling the Mac's firewall. I have added a Program Exception for
> inetinfo.exe, but that had no affect on the problem. Restarting the FTP
> service has no affect either.
>
> Is there some other thing I need to do?
>
> Is this a bug, and if so where should I report it?
> ________________________________________
________________________________
> TonyN.:' *firstname*nlsnews@georgea*lastname*.com
> ' <http://www.georgeanelson.com/>
| |
| Tony Nelson 2006-08-28, 7:31 pm |
| In article <OpM1zpmyGHA.3568@TK2MSFTNGP03.phx.gbl>,
"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote:
> Arrgghh so you got 2 firewall in place.......
> does it work with just Windows firewall on with the inetinfo.exe exception?
No.
The client can LS in PASV mode with the Windows Firewall off.
The client can LS in PORT mode with the client's firewall off.
The client cannot LS in PASV mode with the Windows Firewall on, even if
the client firewall is off.
> As for the passive port range, I don't think it applies to win xp. I think I
> have tested that in the past.
The only use for restricting the PASV port range would be to make it
small enough that the ports could be manually opened in Windows
Firewall. I also don't know if it can be done in WinXP.
> I have seen other users claiming that setting up the exception works, but I
> have also seen other claimed that it is not working for them.
I had seen that also.
> For my own test in the past. it works with exception turned on.
Was rebooting required? (I expect not.) I did try restarting the FTP
service.
It sounds like a bug somewhere between the FTP server and the Windows
Firewall. The Windows Firewall log does not show any dropped packets
for that port. ISTM that Windows Firewall has the port half-open, in a
confused state. I don't have enough (modern or WinTel) machines to try
to view the traffic on the wire.
> whether is a bug or not - no idea. you can try microsoft PSS and engage
> their support.
> note: you might need to pay $$ upfront.
Can I report a bug without paying money? I do own a legal copy of WinXP.
Thank you for your help.
> --
> Regards,
> Bernard Cheah
> http://www.iis.net/
> http://www.iis-resources.com/
> http://msmvps.com/blogs/bernard/
>
>
> "Tony Nelson" <*firstname*nlsnews@georgea*lastname*.com> wrote in message
> news:*firstname*nlsnews-0C308A.20123026082006@msnews.microsoft.com...
>
>
________________________________________
________________________________
TonyN.:' *firstname*nlsnews@georgea*lastname*.com
' <http://www.georgeanelson.com/>
| |
| Bernard Cheah [MVP] 2006-08-29, 7:27 am |
| > Can I report a bug without paying money? I do own a legal copy of WinXP.
You can try to call local MS office and see what they recommend...
For standard MS PSS support, even you have a legal copy - this is like
support case to them. Don't think you have a support contract with them. so
you need to open a case - that will cause err 245USD or something equivalent
to your local currency. This is just upfront payment, if they discovered
that this is a bug! they will refund. if it's pure configuration issue,
hehe! you will pay for it.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
"Tony Nelson" <*firstname*nlsnews@georgea*lastname*.com> wrote in message
news:*firstname*nlsnews-74ABD8.13501228082006@msnews.microsoft.com...
> In article <OpM1zpmyGHA.3568@TK2MSFTNGP03.phx.gbl>,
> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote:
>
>
> No.
>
> The client can LS in PASV mode with the Windows Firewall off.
> The client can LS in PORT mode with the client's firewall off.
>
> The client cannot LS in PASV mode with the Windows Firewall on, even if
> the client firewall is off.
>
>
> The only use for restricting the PASV port range would be to make it
> small enough that the ports could be manually opened in Windows
> Firewall. I also don't know if it can be done in WinXP.
>
>
>
> I had seen that also.
>
>
> Was rebooting required? (I expect not.) I did try restarting the FTP
> service.
>
> It sounds like a bug somewhere between the FTP server and the Windows
> Firewall. The Windows Firewall log does not show any dropped packets
> for that port. ISTM that Windows Firewall has the port half-open, in a
> confused state. I don't have enough (modern or WinTel) machines to try
> to view the traffic on the wire.
>
>
>
> Can I report a bug without paying money? I do own a legal copy of WinXP.
>
> Thank you for your help.
>
>
> ________________________________________
________________________________
> TonyN.:' *firstname*nlsnews@georgea*lastname*.com
> ' <http://www.georgeanelson.com/>
| |
| Tony Nelson 2006-08-29, 7:27 am |
| In article <usl4s4xyGHA.1288@TK2MSFTNGP03.phx.gbl>,
"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote:
>
> You can try to call local MS office and see what they recommend...
> For standard MS PSS support, even you have a legal copy - this is like
> support case to them. Don't think you have a support contract with them. so
> you need to open a case - that will cause err 245USD or something equivalent
> to your local currency. This is just upfront payment, if they discovered
> that this is a bug! they will refund. if it's pure configuration issue,
> hehe! you will pay for it.
Well, if neither you nor I know of a way to report bugs, then likely
there isn't one. Tough for Microsoft. It is rather a security issue,
since the workaround is to turn off their Windows Firewall.
________________________________________
________________________________
TonyN.:' *firstname*nlsnews@georgea*lastname*.com
' <http://www.georgeanelson.com/>
| |
| Bernard Cheah [MVP] 2006-08-30, 7:32 am |
| LOL..but it should work when exception is defined for inetinfo.exe, right?
I will ping around and see if any MS ppl like to verify this internally.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
"Tony Nelson" <*firstname*nlsnews@georgea*lastname*.com> wrote in message
news:*firstname*nlsnews-919145.00570329082006@msnews.microsoft.com...
> In article <usl4s4xyGHA.1288@TK2MSFTNGP03.phx.gbl>,
> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote:
>
>
> Well, if neither you nor I know of a way to report bugs, then likely
> there isn't one. Tough for Microsoft. It is rather a security issue,
> since the workaround is to turn off their Windows Firewall.
> ________________________________________
________________________________
> TonyN.:' *firstname*nlsnews@georgea*lastname*.com
> ' <http://www.georgeanelson.com/>
| |
| Tony Nelson 2006-08-31, 1:36 am |
| In article <e6cXx2$yGHA.3656@TK2MSFTNGP04.phx.gbl>,
"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote:
> LOL..but it should work when exception is defined for inetinfo.exe, right?
> I will ping around and see if any MS ppl like to verify this internally.
Perhaps it should, but it does not work here. It appears that the data
port is half-open, able to send packets but not receive ACKs, so it
stalls after a partial directory listing. I don't have enough (Wintel)
computers here to verify that on the wire.
> --
> Regards,
> Bernard Cheah
> http://www.iis.net/
> http://www.iis-resources.com/
> http://msmvps.com/blogs/bernard/
>
>
> "Tony Nelson" <*firstname*nlsnews@georgea*lastname*.com> wrote in message
> news:*firstname*nlsnews-919145.00570329082006@msnews.microsoft.com...
>
>
________________________________________
________________________________
TonyN.:' *firstname*nlsnews@georgea*lastname*.com
' <http://www.georgeanelson.com/>
| |
|
|
Hi,
I just switched to Windows Firewall after using ZoneAlarm Firewall
(which had no problems with FTP).
Am having the same problem with Win XP Service Pack 2 (and all MS
updates) and Windows Firewall NOT allowing exception to allow an
application (FTP) or telnet to pierce the firewall. When searching on
the internet for a solution, I came upon this discussion. This is a bug
with Win XP/Win Firewall I am sure as I then tried my old computer with
same FTP configuration and FTP worked. When setting the exception
within Windows Security Center/Windows Firewall, the FTP program is
properly listed, but it does not allow FTP to work at all. Connection
fails. Even after specifically making another exception (just to be
sure) for Port 21, FTP connect still fails.
The Windows Firewall exceptions dialog is not working as it should.
*** Sent via Developersdex http://www.codecomments.com ***
| |
|
|
I found an answer to the problem for me at another site.
Symantec/Norton Antivirus has "Internet Worm Protection" (which
previously didn't interfere). They mentioned this problem, so I tried
turning Norton Internet Worm Protection off and my FTP program is
working just fine! So, I was mistaken. It was not Windows Firewall,
but rather Norton's Internet Worm Protection. And with that, even after
setting Internet Worm Protection to allow my FTP program, it did not. I
had to turn it off to get the FTP to work. Hope this helps any who are
having this problem.
*** Sent via Developersdex http://www.codecomments.com ***
| |
|
|
sorry for the three posts.
By going to FTP Planet, I found how to get Norton's Internet Worm
Protection to allow FTP. You have to go to the Internet Worm
Protection: Trojan rules and all the way down at the bottom of the list
there is a checked box for "Unused Windows Services BLock" which needs
to be unchecked. THEN, Internet Worm Protection allows the FTP.
Windows Firewall has nothing to do with it at least in my situation,
though it appeared to be that.
See:
http://www.ftpplanet.com/ubb/Forum5/HTML/000577-2.html
*** Sent via Developersdex http://www.codecomments.com ***
| |
| Bernard Cheah [MVP] 2006-09-16, 1:42 pm |
| That could apply to you. but many users don't have Norton Internet worm
protection, yet stuck with the same error.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
"Ron P" <anonymous@devdex.com> wrote in message
news:ugte24o0GHA.4648@TK2MSFTNGP04.phx.gbl...
>
>
> sorry for the three posts.
>
> By going to FTP Planet, I found how to get Norton's Internet Worm
> Protection to allow FTP. You have to go to the Internet Worm
> Protection: Trojan rules and all the way down at the bottom of the list
> there is a checked box for "Unused Windows Services BLock" which needs
> to be unchecked. THEN, Internet Worm Protection allows the FTP.
> Windows Firewall has nothing to do with it at least in my situation,
> though it appeared to be that.
>
> See:
>
> http://www.ftpplanet.com/ubb/Forum5/HTML/000577-2.html
>
> *** Sent via Developersdex http://www.codecomments.com ***
|
|
|
|
|