Server 2008 R2 FTP Stalls – Troubleshooting Guide

ftpwindows-server-2008-r2

the built in command line ftp client in server 2008 does not support passive mode

so I've used these commands to allow outbound ftp (it stalls without this)

1) Open port 21 on the firewall

netsh advfirewall firewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21

2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections

netsh advfirewall set global StatefulFtp enable

however in server 2008 r2, these commands seem to work, but it does not affect the outbound ftp, it stalls

I do not want to use an alt client

Best Answer

Instead of using the netsh command you could have Windows adding the firewall rules by enabling notification in the "Windows Firewall with Advanced Security" console.

Click on "Windows Firewall Properties" on the root object "Windows Firewall with Advanced Security on Local Computer". From there you customize the settings on each of the profile tabs Domain, Private and Public and set "Display a notification" to "Yes".

When this is done fire up your FTP client and connect to your FTP server. Now you'll be prompted if you want to add a rule for your ftp program.

Good Luck!

-Andy

Related Solutions

How OS Determines Source IP for Outbound TCP/IP Connections with IP Aliasing

By default, on Linux, if an interface has multiple addresses that are on different subnets, traffic destined for the respective subnets will have the proper source IP. That is, if eth0 has two addresses 192.168.1.1/24 and 10.1.1.1/8, then traffic to anything on the 10.0.0.0 subnet will have source 10.1.1.1, and traffic to anything on the 192.168.1.0 subnet will have source 192.168.1.1. You can also assign source addresses explicitly in this case by using the "src 1.2.3.4" option to "ip route".

In your case, though, all your addresses are on the same subnet, so the "primary" one (as revealed by "ip addr list dev eth0") is used as the source IP for traffic exiting on that interface. I think it's possible to control the source IPs in this case just using "ip route", but I've found it easier to use iptables to rewrite the source addresses for traffic of interest.

If you want to force a specific source address to be used for specific destinations, you can do it with a SNAT rule:

iptables -t nat -I POSTROUTING -o eth0 -d dest-IP-or-net/mask -s primary-IP-of-eth0 -j SNAT --to-source desired-source-IP

So if your "primary" eth0 IP is 192.168.100.1, but you want traffic to 1.2.3.4 to have a source of 192.168.100.2, then do this:

iptables -t nat -I POSTROUTING -o eth0 -d 1.2.3.4/0 -s 192.168.100.1 -j SNAT --to-source 192.168.100.2

Note that the "-s 192.168.100.1" is important: it prevents forwarded traffic's source addresses being rewritten by this rule.

If you are going to implement complex network configurations on Linux, you should read the Linux Advanced Routing and Traffic Control documentation, http://lartc.org

How to Use Rsync Over FTP

You don't. rsync can't do that for you, it is a protocol of its own and doesn't work over FTP.

You might, however, want to try csync. IIRC it provides rsync-like behaviour over HTTP. I can't comment on whether it works over FTP, you'll have to try it.

Best Answer

Related Solutions

How OS Determines Source IP for Outbound TCP/IP Connections with IP Aliasing

How to Use Rsync Over FTP

Related Topic