Windows XP Professional, G6 FTP v2.0, Netgear RP614, and Zone Alarm Pro 3.5.

I'm not really knowledgable on security so bear with me and please make suggestions. The Netgear has ports 504 and 50000-50100 forwarded. I've got the G6 set to run with passive mode and listening to the ports listed previously. Right now Zone Alarm is giving G6 access to all ports and protocols. If I limit it to TCP and the ports listed it only works with passive. The thing is why is active mode working at all with the Netgear in place? Should I leave the Zone Alarm blocking the UDP protocol and limiting the ports? What are the dangers of doing this?

Right now I'm not using the latest firmware with my Netgear because I'm not sure it operates with PPPoE correctly yet. I upgraded my first one and it no longer would upload. The newest firmware for the Netgear allows service blocking from the Netgear - the old one only allows TCP and UDP on ports forwarded.

Looking for advice on what would be the best configuration. It would be nice to allow users the ability to connect both active and passive if it's not leaving me open to exploit.

Well, I'm getting multiple UDP blocks from Generic Host Process for Win32 Services by Zone Alarm to my router port 53. So, I guess there must be a big exploit somewhere in allowing UDP access. I'm shutting it down and closing up the ports.

Anyone who can shed some light on this would be greatly appreciated. Thanks.

just a thought...

i am NOT a networking guru, but I have been online for a long time. in my opinion, firewalls with a router are a waste. what?

instead of running a cpu hoggin firewall that might work, here's a better way. there's a free program called startup monitor that takes up less then half a meg of memory. It sits in the background and pops up, asking permission, for anything that wishes to be added with startup.

if you keep a clean system and dont let programs startup without your promission, you're halfway there.

The other tool I use is a packet monitor. Use that once a week, along with your router and startup monitor.

one last thing... make sure your logins and passwords on that ftp dont make sense, easy way to beat security risks of ftp server.

port 53

That's DNS - have you added the public FQDN to your host file?

I think you need something a little more robust than a NAT router when running servers (ESPECIALLY ftp).

Passive mode is harder to secure on the server end. THe client, technically, determines the data port to be used and initiates both the comm channel (obviously) and the data channel. To be 100% someone can connect, you need to forward every port greater than 1023 thru the router; making it's protection very limitted (hence the absolute need for a sw firewall when forwarding ports)

Active mode is easier to secure on the server side. Client connects to port 21. Client sends a request to the server to establish the data channel on port x. The server then initiates a connection back to the client on port x. Now the client has to punch great gaping holes in their perimeter.

ftp is pretty ugly security-wise. Don't run it on a box that has anything you care to lose on it and put a firewall between it and your LAN/home machine.

Thanks! Yeah, I finally figured out it was just DNS attempting to identify the inbound requests. I turned off the dns lookup on the ftp server. Everything seems to be working well in passive now with UDP closed on all open ftp ports.

I'm pretty confused on how acitve ftp would be more secure than passive. This ftp server (Bulletproof 2.21) allows external ip awareness for passive mode inside a NAT firewall with a dynamic ip internet service provider. I can dictate what ports I want to be available to the clients this way. If I used active I would have to allow a much bigger hole because the server doesn't know what is available and I don't have stateful packet inspection (I read that this solves some of those problems).

Now, I guess the question is what are the best ports to make available to the ftp that leave me the least vulnerable? I'm using 504 to communicate and 50000-5100 for data connection. I'm on a Windows XP box with Zone Alarm Pro software firewall. I don't really have anything to lose if it gets destroyed, but I would like to deter people from easily browsing through my computer.

I have been allowing full access with only Zone Alarm on this machine. Zone Alarm giving full access to all ports and protocols. So, I suppose anything that could have been done to my computer has been done already. I'd just like to know for future reference.

I see where people state that a ftp server is extremely vulnerable to exploit and that it should be run on a machine outside of the firewall. What can be done? I'm no hacker, but I check out astalavista on ocassion and I'v only seen a few attack methods for G6 ftp server and I've tried to comply with the recommended fixes. Should I consider that everything on my computer has been looked at and it won't be secure agian until I reformat the whole thing even though I run current virus software (Norton Anti-Virus 2003)?

Thanks for taking the time to reply. I'm just begining to become curious about being more secure with my computer and home network.

I'm pretty confused on how acitve ftp would be more secure than passive. This ftp server (Bulletproof 2.21) allows external ip awareness for passive mode inside a NAT firewall with a dynamic ip internet service provider. I can dictate what ports I want to be available to the clients this way. If I used active I would have to allow a much bigger hole because the server doesn't know what is available and I don't have stateful packet inspection (I read that this solves some of those problems).

It's all about who determines the data channel. In Active Mode, the server picks the port# (usually 20, but not necessarily). In Passive the client picks the port (could be ANY port#). As you stated, you've had to forward several ports through the router and give ftp full access in ZA...not a very secure setup.

SPI (adaptive firewalling) does make this easy as it maps the two connections back to each other (it can read packet info to get the port#).

FTP was desinged before the internet was such a dangerous place :) The protocol itself (classic) exchanges passwords in plain text and the two port architecture doesn't make firewalling easy. However, there are many ftp applications out there - security can be improved at the application layer but the protocol will always have it's drawbacks security-wise.

Are you using NTFS on all drives and setting permissions accordingly (user EVERYONE should not have access to anything) and have ftpd run as a non-priviledged user.

Skye