locked
I need advice on how to go about setting firewall rules to allow stateful FTP(Active FTP). RRS feed

  • Question

  • Hi,

      I am currently involved in creating a Microsoft WFP based firewall application. It runs with Windows Firewall turned off. The primary function of this simple firewall is to block unsolicited IP traffic with exceptions(some servers are allowed unsolicited connects to the client). I have rules inserted in the ALE AUTH CONNECT AND ALE AUTH ACCEPT layers to enable stateful filtering that allows traffic from established connections. I have rules in the IP_PACKET_INBOUND and IP_PACKET_OUTBOUND layers inserted sometimes that does a blanket block of all incoming and outgoing traffic with exceptions. Any way, the application is in testing and we found out the firewall does not allow the data connection of an active FTP to succeed. I am not sure what the best way of approaching this problem. To be rephrased, do any of you think this warrants writing a callout driver(a development effort we are trying to avoid) or do the WFP provided static filters suffice? Your sagely advice will be well appreciated.

     

    Thanks,

     

    Sujay


    • Edited by Sujay_Anand Thursday, May 26, 2011 3:36 PM Grammar
    Thursday, May 26, 2011 3:35 PM

All replies

  • Hi,

      I am currently involved in creating a Microsoft WFP based firewall application. It runs with Windows Firewall turned off. The primary function of this simple firewall is to block unsolicited IP traffic with exceptions(some servers are allowed unsolicited connects to the client). I have rules inserted in the ALE AUTH CONNECT AND ALE AUTH ACCEPT layers to enable stateful filtering that allows traffic from established connections. I have rules in the IP_PACKET_INBOUND and IP_PACKET_OUTBOUND layers inserted sometimes that does a blanket block of all incoming and outgoing traffic with exceptions. Any way, the application is in testing and we found out the firewall does not allow the data connection of an active FTP to succeed. I am not sure what the best way of approaching this problem. To be rephrased, do any of you think this warrants writing a callout driver(a development effort we are trying to avoid) or do the WFP provided static filters suffice? Your sagely advice will be well appreciated.

     

    Thanks,

     

    Sujay



    One way to do this would be to allow the %windir%\system32\ftp.exe full access through the firewall.
    • Proposed as answer by sb123123 Sunday, November 27, 2011 9:52 PM
    Wednesday, June 1, 2011 10:13 PM