router and ftp server.

Discussion in 'Windows Desktop Systems' started by mafiafromrussia, Oct 7, 2002.

  1. i'm behind linksys router, and i had problems with one app not connecting to internet because of built in firewall. i used port forwarding and it worked. then i learned DMZ feature, when i did that i didnt need any kind of forwarding.

    now the question is, why is that no enough for serv-u ftp server to work fine?

    users could connect to server but not download something. then after screwing around with it i found out that if i use
    "allow passive mode data transfers, use ip :xxx.xxx.xxx.xxx" and if i put my isp assigned ip it works. even though i have dsl my ip is dynamic and changes. do i just have to update my ip in that setting box everytime i want ftp to work? or is there another way?
     
  2. Zedric

    Zedric NTFS Guru Folding Team

    Messages:
    4,006
    Location:
    Sweden
    DMZ is not a good way to go. It nullifies any extra security the router provides. Try using a specific PASV port range in the FTP server and forwad these in the router. Also forward port 20 and 21.
     
  3. koko

    koko Got Root?

    Messages:
    577
    Location:
    Columbia, S.C.
    mafiafromrussia, zedric is absolutely correct.

    i have a linksys router, use serv-u ftp 4.0 and run an ftp site. you must use passive mode and forward ports 21, 50000 - 50100.

    i'm sure you also know that unless your wanip is static, you'll have to use a service to keep it updated.

    i use this place. it's free!
     
  4. well i dont mind loosing any security features. i just dont like the idea of opening ports all the time i want to play net game or use p2p program.

    ok i have enabled port 21 forward(it said ftp there) btw i run my ftp server on port 31300 . and why should i forward 50000 to 50100? what's up there? also i dont really care about having link from dyndns. i dont have my ftp up 24/7 i just some times use to to share files with friends and other people, and i want it working with simple opening of program
     
  5. Zedric

    Zedric NTFS Guru Folding Team

    Messages:
    4,006
    Location:
    Sweden
    If you run on 31300, forward that instead of 21 (why 31300 anyway?? 21 is standard FTP). 50000-50100 is the PASV port range I talked about. Add these somewhere in the FTP server.
     
  6. well i use 31300, just in case, because as u said 21 is standrad, i dont want it to be that easy, and will try that 50000 thing when i get home from work after college :(
     
  7. koko

    koko Got Root?

    Messages:
    577
    Location:
    Columbia, S.C.
    if you're using port 31300, then forward it instead of 21. 21 is simply the default ftp port. in order to get serv-u ftp working correctly, you've gotta open those passive mode ports (50000-50100).

    after these changes, it should work.
     
  8. allright, did all that. another question though. wont DMZing computer kind of make forwarding useles?
     
  9. koko

    koko Got Root?

    Messages:
    577
    Location:
    Columbia, S.C.
    i do not have dmz host enabled and would not recommend doing this. by using dmz, you are basically bypassing the router and allowing anyone to access your machine. what's the point of having a router if you're going to open yourself to everyone in the world?

    that's one of the main points of having a router...security. ;)
     
  10. well forwarding port and range from 50000-50100 did not help me at all. no one could even connect to ftp. but oh well i'll be just inputing the new ip every time i open it, it's much easier.

    and for me the main reson 4 getting a router is sharing dsl connection on 2 computers+making network so i ca share files or play lan games. not the security
     
  11. Zedric

    Zedric NTFS Guru Folding Team

    Messages:
    4,006
    Location:
    Sweden
    Yes. It's pretty much like forwarding all the ports.
     
  12. thats what i figured pretty much. thanks
     
  13. koko

    koko Got Root?

    Messages:
    577
    Location:
    Columbia, S.C.
    after opening ports 50000-50100, did you also check the use p***ive mode in serv-u ftp software? you have to do that.

    when users try to connect, they do NOT use p***ive mode in the client software.

    i know this set up works with the linksys router, 'cause that's how i have mine set up. i have 33 happy users. :)
     
  14. so when using cute ftp pro 2.0 they gotta change from PASV to PORT ? i didnt think of that. will try it out againg tonight. thanks for the help, i hope it works this time
     
  15. keylo

    keylo Guest

    ok, lets clear this up a bit....

    Zedric you have the right idea, BUT... those ports you mentioned best work with G6/BPFTP. If you are using ServU, you will have to open a range of ports like 1024-65535. Now before you jump up and down after seeing that range, let me explain some things as far as linksys and ftp servers (and other applications).

    Ok, you need to understand what PASV mode transfer is, i am not going to explain it here, that is what google is for ;) . Now, port forwarding should only be used when you want a port or range open ALL THE TIME. DMZ should only be used on a pc that you use as a gateway for a hub, but nevermind that biz, back to the ftp prob.

    First of all, you DONT have to PORT FOWARD any other ports other than 21 or the port that the server resides on to allow ppl to logon and get a LISTing. For this just tell your users to turn off PASV mode transfers, which is default on alot of ftp client. OR, you can tell them to use an option IP MASQ/NON Routeable IP, if that option is available. These two suggestions will allow a user to use the LIST command on a server behind a router/NAT, without having to go thru these necessary steps for PASV mode.

    Now if you want the serve to work with PASV mode, you will need to do the following if you have ServU. On your browser config for linksys, go to the advanced/forwarding tab. Next, hit the port triggering button towards the bottom (this feature is only available to firmware 139 or higher i believe). When the window pops up, this is where you put your 1024 ~ 65535 range in both sets of boxes. For the Application name, just put ServUAdmin.exe, or something in reference to servU, so that in the future you know just what the heck you did this for. Also to note, make SURE you have disabled, or turned off the DMZ host, or this will confuse the router, and make it think that it is the DMZ host still, causing this not to be of any use. Also this will leave you to other vulnerabilities such as NetBios attacks, UPnP, and other vulneralbilities.

    Now, for all you ppl worried about security with your linksys, you need to really read about this feature, it is not perfected by any means. This feature does NOT open this range on the router all the time, only when a request echo is sent out from an application behind the NAT to the client is recieved. If you still have worries after doing all this, just go to www.grc.com and you will see that this range should still be stealthed or closed, unless you have forwarded other ports in the PORT FORWARDING (not the port triggering). Back to the rest of the solution....

    Now that you have setup the router, it is time to setup the server to recognize a request. If using ServU 4, which i recommend for a few reasons rather than BPFTP, you need to to navigate to the SETTINGS under the DOMAINS "+". Then go to the advanced tab. Here you will see something that says "allow passive mode data transfers, use this ip". Put a check in the box, and then type in your modem's ip (not your router assigned IP). If your ISP is DHCP and you are not sure of your modem's IP (not your router assigned IP), then go to www.dslreports.com/whois and find out your IP address.

    This solution should clear up your problem, and still leave your pc "protected". Reply and let me know if you found this useful. All complaints and b*tching welcomed. :cool:
     
  16. Zedric

    Zedric NTFS Guru Folding Team

    Messages:
    4,006
    Location:
    Sweden
    Ok, you asked for it. :)
    1024-65536 are really almost all ports since there are only 65536 ports. Does ServU really need all of them? Can't you limit the port range (like in G6 you mentioned)?
     
  17. hey keylo thanks for that more detailed explanation. what i found to work is that if i go to that advanced tab and check allow pasv for this ip and i put my ip in there. i absolutely do not need to forward anything at all(also i have dmz for this computer at all times). the users used cute ftp pro 2 with pasv setting. and have been able to list and download files. i was just wondering if i could do it some easyer way, except putting new ip there i want to use it. but as it seems that i gota go through the trouble of opening ports i think i'll handle updating ip all the time on my own. and i need dmz feature enabled for this computer because i use various p2p programs and play internet games.

    thank you all for your suggestions, i've also learned couple new things doing this. thank you.
     
  18. Zedric

    Zedric NTFS Guru Folding Team

    Messages:
    4,006
    Location:
    Sweden
    Well theoreticaly DMZ is just like not having the router at all...
     
  19. but isnt router's function is to share internet connection more eficiently? cuz i really do not need a firewall here at all. i just dont think that a hacker, and by that i dont mean those little **** heads with trojans trying to get into your pc, because for them to do that it has to be your fault in installing it plus AV picks them up. and there's really nothing important on my computer for true hacker to be hacking my computer. i just dont want to use ICS cuz it's bad.
     
  20. Zedric

    Zedric NTFS Guru Folding Team

    Messages:
    4,006
    Location:
    Sweden
    A router's function is to share the connection at all. Since almost all ISP:s will only give you one IP, you need to use a NAT router (standalone or with ICS) to supply internal IP:s for you network. DMZ (virtually) puts your computer "outside" the router, almost as if you where running ICS on it without a hardware router.