I the last weeks i had some problems uploading / downloading files via FTP to some FTP sites.
Problem was a setting in my new router.
After disabling this option FTP is working fine again.
Why is is option only blocking some FTP sessions and not other traffic?
<b><i>Help file of this option:</i></b>
Firewall Settings
Enable SPI
SPI ("stateful packet inspection" also known as "dynamic packet filtering") helps to prevent cyberattacks by tracking more state per session. It validates that the traffic passing through that session conforms to the protocol. When the protocol is TCP, SPI checks that packet sequence numbers are within the valid range for the session, discarding those packets that do not have valid sequence numbers.
Whether SPI is enabled or not, the router always tracks TCP connection states and ensures that each TCP packet's flags are valid for the current state.
Firewall SPI
-
Willem4ever
- Global Moderator
- Posts: 805
- Joined: Mon Oct 30, 2006 3:48 pm
- Location: Uithoorn / Netherlands
Firewall SPI
Hi Chak,
Try passive FTP ..... Below a description, how FTP works. By reading you probably can figure out why active mode most likely is not going to work. The firewall basically has examine the data on port 21 to figure out which ports needs to be opened for the data stream.
FTP runs exclusively over TCP. FTP servers by default listen on port 21 for incoming connections from FTP clients. A connection to this port from the FTP Client forms the control stream on which commands are passed to the FTP server from the FTP client and on occasion from the FTP server to the FTP client. FTP uses out-of-band control, which means it uses a separate connection for control and data. Thus, for the actual file transfer to take place, a different connection is required which is called the data stream. Depending on the transfer mode, the process of setting up the data stream is different.
In active mode, the FTP client opens a dynamic port (4915265535), sends the FTP server the dynamic port number on which it is listening over the control stream and waits for a connection from the FTP server. When the FTP server initiates the data connection to the FTP client it binds the source port to port 20 on the FTP server.
In order to use active mode, the client sends a PORT command, with the IP and port as argument. The format for the IP and port is "h1,h2,h3,h4,p1,p2". Each field is a decimal representation of 8 bits of the host IP, followed by the chosen data port. For example, a client with an IP of 192.168.0.1, listening on port 49154 for the data connection will send the command "PORT 192,168,0,1,192,2". The port fields should be interpreted as p1256 + p2 = port, or, in this example, 192256 + 2 = 49154.
In passive mode, the FTP server opens a dynamic port (4915265535), sends the FTP client the server's IP address to connect to and the port on which it is listening (a 16 bit value broken into a high and low byte, like explained before) over the control stream and waits for a connection from the FTP client. In this case the FTP client binds the source port of the connection to a dynamic port between 49152 and 65535.
To use passive mode, the client sends the PASV command to which the server would reply with something similar to "227 Entering Passive Mode (127,0,0,1,192,52)". The syntax of the IP address and port are the same as for the argument to the PORT command.
source: http://en.wikipedia.org/wiki/File_Transfer_Protocol
Try passive FTP ..... Below a description, how FTP works. By reading you probably can figure out why active mode most likely is not going to work. The firewall basically has examine the data on port 21 to figure out which ports needs to be opened for the data stream.
FTP runs exclusively over TCP. FTP servers by default listen on port 21 for incoming connections from FTP clients. A connection to this port from the FTP Client forms the control stream on which commands are passed to the FTP server from the FTP client and on occasion from the FTP server to the FTP client. FTP uses out-of-band control, which means it uses a separate connection for control and data. Thus, for the actual file transfer to take place, a different connection is required which is called the data stream. Depending on the transfer mode, the process of setting up the data stream is different.
In active mode, the FTP client opens a dynamic port (4915265535), sends the FTP server the dynamic port number on which it is listening over the control stream and waits for a connection from the FTP server. When the FTP server initiates the data connection to the FTP client it binds the source port to port 20 on the FTP server.
In order to use active mode, the client sends a PORT command, with the IP and port as argument. The format for the IP and port is "h1,h2,h3,h4,p1,p2". Each field is a decimal representation of 8 bits of the host IP, followed by the chosen data port. For example, a client with an IP of 192.168.0.1, listening on port 49154 for the data connection will send the command "PORT 192,168,0,1,192,2". The port fields should be interpreted as p1256 + p2 = port, or, in this example, 192256 + 2 = 49154.
In passive mode, the FTP server opens a dynamic port (4915265535), sends the FTP client the server's IP address to connect to and the port on which it is listening (a 16 bit value broken into a high and low byte, like explained before) over the control stream and waits for a connection from the FTP client. In this case the FTP client binds the source port of the connection to a dynamic port between 49152 and 65535.
To use passive mode, the client sends the PASV command to which the server would reply with something similar to "227 Entering Passive Mode (127,0,0,1,192,52)". The syntax of the IP address and port are the same as for the argument to the PORT command.
source: http://en.wikipedia.org/wiki/File_Transfer_Protocol
Firewall SPI
Willem,
Thanks for the explanation.
Passive mode also did not help.
I had also some problems with vmware server 1.05 remote console.
Vmware is using port 902
This is the only port used. When the SPI is active also vmware console will not work from remote connection.
Thanks for the explanation.
Passive mode also did not help.
I had also some problems with vmware server 1.05 remote console.
Vmware is using port 902
This is the only port used. When the SPI is active also vmware console will not work from remote connection.