Vista firewall - Active FTP

Posted: 01-15-2008, 10:36 PM
I am confused about why the firewall in Vista is allowing active FTP
on my computer.

The Application Layer Gateway service is stopped.
My FTP client (FileZilla) is set to use Active FTP mode.
There is a rule setup to block unsolicited inbound TCP and UDP traffic
for FileZilla in the firewall.

When I do a directory listing, and a PORT command is issued, and the
server attempts to connect, it works, but at the same time a dialogue
appears telling me it's blocked, and I can keep blocking or unblock.
I choose keep blocking but it doesn't actually block it once.

I would like to find what is enabling the incoming connections, the
logs are giving nothing away.

Vista firewall - Active FTP


Responses to "Vista firewall - Active FTP"

Alun Jones
Guest
Posts: n/a
 
Re: Vista firewall - Active FTP
Posted: 01-16-2008, 06:11 AM
<swnshp@gmail.com> wrote in message
news:192ac3d3-5848-46cb-adc2-74ba1ec6e32e@e6g2000prf.googlegroups.com...
> I am confused about why the firewall in Vista is allowing active FTP
> on my computer.
>
> The Application Layer Gateway service is stopped.
> My FTP client (FileZilla) is set to use Active FTP mode.
> There is a rule setup to block unsolicited inbound TCP and UDP traffic
> for FileZilla in the firewall.
>
> When I do a directory listing, and a PORT command is issued, and the
> server attempts to connect, it works, but at the same time a dialogue
> appears telling me it's blocked, and I can keep blocking or unblock.
> I choose keep blocking but it doesn't actually block it once.
>
> I would like to find what is enabling the incoming connections, the
> logs are giving nothing away.
Me too - my one good theory, that the Application Layer Gateway was opening
the firewall hole (because if you send a PORT command, the connection back
is not really an "unsolicited inbound TCP" packet?) got blown away when I
realised that the ALG service isn't actually running.

This may be one of those "special" behaviours that FTP has, like on a home
firewall/router that knows that FTP traffic goes on port 21, and therefore
opens ports and translates IP addresses, so that the FTP traffic "just plain
works".

Sadly, although FTP is very much my thing, I don't actually know why it lets
this traffic through even after you've told it to get blocked.

[The first time, you could note that you didn't hit "Keep Blocked" until
after the transfer had already started - but even if that was a valid
argument, subsequent transfers also go through. My firewall settings include
a "File Transfer Program" rule, but that points to
%windir%\system32\ftp.exe, and you're using FileZilla.]

I'd love to see a good explanation on this from Microsoft, too.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.


swnshp@gmail.com
Guest
Posts: n/a
 
Re: Vista firewall - Active FTP
Posted: 01-16-2008, 08:52 PM
On Jan 16, 6:11*am, "Alun Jones" <a...@texis.invalid> wrote:
> This may be one of those "special" behaviours that FTP has, like on a home
> firewall/router that knows that FTP traffic goes on port 21, and therefore
> opens ports and translates IP addresses, so that the FTP traffic "just plain
> works".
Yes most home routers running linux have the FTP helper module which
looks at
the PORT commands and sets the appropriate NAT rules up and opens it
up.
My assumption was this is what the ALG does, and so it shouldn't when
stopped,
but yes, perhaps something else is doing this too.
> I'd love to see a good explanation on this from Microsoft, too.
Me too, I might want to block this activity.
Alun Jones
Guest
Posts: n/a
 
Re: Vista firewall - Active FTP
Posted: 01-19-2008, 02:36 AM
<swnshp@gmail.com> wrote in message
news:fcf4016e-409e-4065-a9d4-1c2b02c281d8@t1g2000pra.googlegroups.com...
> On Jan 16, 6:11 am, "Alun Jones" <a...@texis.invalid> wrote:
>
>> This may be one of those "special" behaviours that FTP has, like on a
>> home
>> firewall/router that knows that FTP traffic goes on port 21, and
>> therefore
>> opens ports and translates IP addresses, so that the FTP traffic "just
>> plain
>> works".
>
> Yes most home routers running linux have the FTP helper module which
> looks at
> the PORT commands and sets the appropriate NAT rules up and opens it
> up.
> My assumption was this is what the ALG does, and so it shouldn't when
> stopped,
> but yes, perhaps something else is doing this too.
Okay, it's almost completely undocumented, but here's what I think is going
on:

It _is_ something inside of the Windows Vista Firewall, called the
"connection inspection engine". As far as I can make out, there are two
connection inspection engines - one is for FTP, the other is for the PPTP
VPN protocol. It does exactly what you'd need to support FTP - no word as to
whether this is extended to ports other than 21 (or how, if it is), so I'd
assume that, like everyone else's FTP firewall modules, this only works on
port 21.
>> I'd love to see a good explanation on this from Microsoft, too.
>
> Me too, I might want to block this activity.
So, here's how you block it.

Open up the registry, and go down to key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy
There's a value in there called "DisableStatefulFTP", set to 0.

If you want to disable the operation on the FTP channel, simply set
DisableStatefulFTP to 1. Not sure if you have to restart the firewall or
not.

[There's a DisableStatefulPPTP if you want to appear to allow PPTP, but
render it completely unusable, too.]

I can imagine this is almost undocumented because you either want to kill
FTP / PPTP completely (in which case, you just prevent their initial control
ports), or you want to allow them completely - you don't want to cripple
them so they almost nearly work.

But then, this raises another curious question ... if the firewall is doing
the stateful traffic inspection, and opening ports, what does the ALG
service do?

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.



 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
Does Vista Firewall support more than 1 active network at a time? looplocal Windows Vista Networking & Sharing 8 06-23-2008 07:39 PM
Vista Firewall issue with 2 active Networks looplocal Windows Vista Security 0 03-16-2007 12:51 PM
Active firewall profile incorrect Mick Windows Vista Security 1 12-14-2006 11:33 PM
XP crashes randomly with an active firewall Alexander O'Neal Windows XP Performance & Maintenance 2 10-28-2003 06:51 AM
WinXP firewall/filters in a Active Directory environment Hallstein Windows XP Security & Administration 1 09-16-2003 07:11 AM