Hi: I'm trying to block ftp/ftps connections to a server2008r2 standard computer using Windows Firewall, but still allow connections from a specific remote IP I created a rule using the GUI: Protocols and Ports- Protocol Type: TCP- Local port: 20,21,22,990,991- remote port: All PortsScope- Local IP: [my IP]- Remote IP: 0.0.0.0-123.123.123.123- Remote IP: 123.123.123.125-255.255.255.255- [trying to allow connections from 123.123.123.124, but block everything else]Advanced- Domain/Private/Public selected- Interface Types: all selected- Block edge traversal If I test ftp connections from a remote computer, they are dropped, but not before the connection is logged by the ftp service. Even with the settings above, I'll still see this in the ftp log: 2012-05-02 14:20:07 216.213.xxx.xxx - 50.63.xxx.xxx ControlChannelOpened - - 0 0 08683fc0-8e1a-4633-ae51-d4a91a9ceb61 - 2012-05-02 14:20:07 216.213.xxx.xxx - 50.63.xxx.xxx - - 451 87 0 08683fc0-8e1a-4633-ae51-d4a91a9ceb61 - 2012-05-02 14:20:27 216.213.xxx.xxx - 50.63.xxx.xxx ControlChannelClosed - - 1292 0 08683fc0-8e1a-4633-ae51-d4a91a9ceb61 - Is there any way to block these connections completely at the firewall? Or do I need to configure the firewall differently? I basically want to disallow ftp/ftps connections completely, except for a few specific remote IPs.

Hi, Have you set the exception for the 123.123.123.124? Can FTP to the server from the remote client in the blocked IP range? The log shows on the connection is from the 123.123.123.124 which may allow by your scope settings. Best Regards, AidenAiden Cao TechNet Community Support

Hi Aiden: I tried to set it up the same way as in my original post. I have the rule set to "block", and I have two ranges specified for the remote IP: - Remote IP: 0.0.0.0-123.123.123.123 - Remote IP: 123.123.123.125-255.255.255.255 So I would think the only connections that would get through would be from 123.123.123.124?

Hi, How are things going? Can this setting achieve your goals? Please note that if the client cannot prompt the logon session (asking user name and password) when connect to FTP server, there will no log generated in the FTP logs. If you have any update or concern, please feel free to let us know. Best Regards, AidenAiden Cao TechNet Community Support

Hi Aiden: This does not appear to be working. The connection is still getting to the FTP service, where it's dropped, but not before the FTP server answers. Here's the detail of the vulnerability I'm trying to block. This is a known vulnerability in FTP Service 7-7.5, which is why I'm trying to block the FTP connections at the firewall. Synopsis : The remote FTP server allows plaintext command injection while negotiating an encrypted communications channel. Description : The remote FTP server contains a software flaw in its AUTH TLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. Successful exploitation could permit an attacker to modify files on the FTP server and reveal a user's credentials. See also : http://tools.ietf.org/html/rfc4217 http://www.securityfocus.com/archive/1/516901/30/0/threaded Solution : Contact the vendor to see if an update is available. Risk factor : Medium / CVSS Base Score : 4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N) CVSS Temporal Score : 3.3 (CVSS2#E:F/RL:OF/RC:C) Public Exploit Available : true Plugin output : McAfee sent the following two commands in a single packet : AUTH TLS\\r\ FEAT\\r\ And the server sent the following two responses : 234 AUTH command ok. Expecting TLS Negotiation. 211-Extended features supported: LANG EN* UTF8 AUTH TLS TLS-C SSL TLS-P PBSZ PROT C P CCC HOST SIZE MDTM REST STREAM 211 END CVE : CVE-2011-1575 BID : 46767 Other references : OSVDB:71855, CERT:555316, IAVA:2011-A-0054