FTP PORT Command problem stumped me

Discussion in 'Computer Support' started by Atreju, Dec 14, 2006.

  1. Atreju

    Atreju Guest


    I've got a server running Serv-U FTP. I have a Sonicwall firewall.

    I have been getting some hammer attempts, so I decided to block the
    default FTP ports and use a custom port.

    I setup a service in my firewall and it is being forwarded as would be
    port 21. The NAT is not a problem, it is getting through successfully
    to the internal server. However: I'm getting this error:

    "only client ip address allowed for port command"

    When trying to connect from outside.

    I assume this has something to do with my firewall, because from
    inside it's not a problem.

    I need a solution - firstly, do I use "passive" transfers, for the
    life of me I've never been able to see a consistent behavior with
    either yes or no. If I am to use passive transfers, Serv-U has a
    checkbox "allow passive transfer mode, use the following IP" and
    there's a box for an IP. The client is connecting to my server using a
    dynamic DNS name, and my system COULD in theory get a new IP address,
    so I don't know how I would use an IP address in this field... and I
    don't know what I would use anyway - my WAN IP, local IP what?

    Basically, I just need this to work.
    Any suggestions please are very welcome, thanks.

    Atreju, Dec 14, 2006
    1. Advertisements

  2. Atreju

    why? Guest

    Server should be a static address on your LAN.
    Block ports and custom port, should that be custom ports?

    Don't forget it's port 21 commands and maybe port 20 for data.
    www.google.com for the above?

    Only client IP address allowed for PORT command
    Only client IP address allowed for PORT command SmartFTP :: Support ::
    Knowledge Base.
    www.smartftp.com/support/kb/only-client-ip-allowed-for-port-f22.html -
    11k - Cached - Similar pages

    SmartFTP Knowledge Base Export
    Only client IP address allowed for PORT command, #22. The server is
    blocking foreign IP addresses in a FXP attempt. If SmartFTP cannot
    resolve the problem ...
    www.smartftp.com/support/kb/export.php - 227k - Cached - Similar pages
    [ More results from www.smartftp.com ]

    For a FW, PASV. IIRC the FTP external client creates the 2 connections
    rather than the FW having to filter.

    You may have to allow port 21 for the initial command connection, then
    the client requests PASV and the client / server does the open 2 ports
    over 1023.

    Again www.google.com there are a lot of articles about it.

    Sign up for the DynDNS fixed address, if your IP doesn't change often..
    Try http://www.portforward.com/routers.htm even if there isn't an entry
    for your FW/Router the basics are the same.

    The port forwarding is the WAN IP (DynDNS entry) to the static IP of the
    Try harder :)

    Not forgetting www.google.com

    Port Forwarding on the Sonicwall TZ-150 Wireless Router
    Port forwarding setup for Sonicwall TZ-150 Wireless Internet router.
    Step 2: In the menu on the left side of the page, look for the Firewall
    menu and then ...
    www.no-ip.com/support/guides/routers/sonicwall.html - 15k - Cached -
    Similar pages

    SonicWALL Firewall Router Setup. Firewall SonicWALL technical ...
    SonicWALL Hardware Firewall Setup. Managed SonicWALL Firewall Services
    by Farpost.NET.
    www.farpost.com/sonicwall_firewall_setup.php - 12k - Cached - Similar

    Sonicwall SOHO Internet Security Appliance - PracticallyNetworked.com
    You won't find this feature in the SOHO, since SonicWall's focus is ...
    Port Range Forwarding: You can set access rules on up to 128 single TCP,
    UDP, ...
    www.practicallynetworked.com/review.asp?pid=337 - 122k - Cached -
    Similar pages

    Firewalls: Sonicwall "Enhanced" port forwarding...
    I hope I'm just being stupid. I have a sonicwall 4060, and it has the
    Sonicwall Enhanced firmware on it. I have forwarded ports successfully
    on early models ...
    www.experts-exchange.com/Security/Firewalls/Q_21709204.html - 60k -
    Cached - Similar pages

    why?, Dec 14, 2006
    1. Advertisements

  3. Atreju

    Atreju Guest

    It is, of course
    I may have resolved the problem - it seems there's an inherent problem
    in having NAT on both sides, where one won't translate the ephemeral
    ports for passive mode. What I did was create a NAT policy so the
    server is really listening on the default ports 21 and 20 (so there's
    nothing to have to translate on the way out - the NAT traversal
    happens for FTP by default apparently) and the client has to access it
    by using the custom port. It seems to be working (well, only for one
    piece of software but I probably just need to reconfigure something in
    the other).
    Plenty of articles/posts/etc. but no actual solution except I just
    read an article which indicates there is really no easy solution. What
    I did seems to be the best way around the problem.

    Thanks for responing.

    Atreju, Dec 14, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.