5

I have a .NET Core console app that downloads files from an FTP server and processes them. I moved the app onto a new server, and it stopped working. Disabling Windows Firewall on the new server solves the problem, but obviously I don't want to leave it wide open - I need a targeted way of enabling this app. FTP traffic seems to already be allowed (inbound and outbound) by the default firewall rules, so I don't know which additional ports could be opened (I think I'm using active FTP, which can use a broad port range AFAIK). I would prefer to whitelist the application, but it is not an .exe file, so I'm not exactly sure which application to allow.

I run the application using a shortcut to a .bat file. The bat file contains just the following line:

dotnet "C:\path\my-application.dll"

The code on which the application fails is:

FtpWebRequest request = (FtpWebRequest)FtpWebRequest.Create(ftpServerUri);
request.UseBinary = true;
request.Credentials = new NetworkCredential(ftpUser, ftpPsw);
request.Method = WebRequestMethods.Ftp.ListDirectory;
request.Proxy = null;
request.KeepAlive = false;
request.UsePassive = false;

// hangs here forever unless Windows Firewall is turned off
FtpWebResponse response = (FtpWebResponse)await request.GetResponseAsync();

Is it possible to allow the application through the firewall? Do I allow dotnet.exe, or the .bat file, or the .dll file, or is there an alternate way of doing this? Thanks in advance for any help!

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
Dave Smash
  • 2,941
  • 1
  • 18
  • 38
  • There is a way to publish your console app so that an `exe` is created -> (https://stackoverflow.com/questions/44074121/build-net-core-console-application-to-output-an-exe), you could then whitelist the `exe` -> one possible solution. – Ryan Wilson Dec 17 '19 at 18:26

3 Answers3

2

Do not use FTP active mode. And you won't have firewall problems.

The passive mode is enabled by default for a good reason. It makes it less problematic to pass through a firewall.

Remove this line: 

request.UsePassive = false;

Read my article on network configuration needed for FTP active and passive modes.

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
  • 1
    Your link is a good read, and the passive FTP approach does seem to work without firewall changes. For the sake of anyone searching the question of allowing .Net Core through the firewall, I will accept the answer that addresses that specific question, but +1 and a sincere thank you for a better approach! – Dave Smash Dec 17 '19 at 21:28
1

You can try 2 things on Win10:

  • Allow an App through Windows Firewall

Navigation Path: Control Panel\All Control Panel Items\Windows Defender Firewall\Allowed apps

Click Allow another app

On the following pop up, provide the absolute path to dotnet.exe

  • Configure Windows Defender Firewall with Advance Security with below

Navigation Path: Control Panel\All Control Panel Items\Windows Defender Firewall\ Advanced Settings

EDIT:

Turns out whitelisting did the trick.

Community
  • 1
  • 1
Clint
  • 6,011
  • 1
  • 21
  • 28
  • I was hoping to use the "Allow an App through Windows Firewall" approach, but I don't know what to select in the context of .Net core... ".dll" isn't an extension that is supported. – Dave Smash Dec 17 '19 at 18:36
  • @DaveSmash, have you tried allowing dotnet.exe The other way I can think of is configure inbound/outbound rules for the specific port ? – Clint Dec 17 '19 at 18:40
  • I just added that and will disable my other rule to check... These FTP files have been piling up for a while, so I'm going to let the program finish running before I test, but I'll follow up shortly. My first thought was that was a broader scope than I was hoping to allow, but I guess I can control which .Net Core applications run on the server anyway, so the more I think about it, it doesn't seem like a big threat. – Dave Smash Dec 17 '19 at 18:52
  • Yea the Inbound rules is pretty flexible that way – Clint Dec 17 '19 at 20:04
  • Whitelisting dotnet.exe does seem to work. I am actually going to use the passive FTP approach suggested by Martin Prikryl, but your comments provide a better answer to the actual question that I asked. If you want to edit it to be more specific as to how to whitelist C:\Program Files\dotnet.exe so that people don't have to read the comment thread, then I will give you credit! Thanks for your help. – Dave Smash Dec 17 '19 at 21:27
0

I may have found an answer here:

https://serverfault.com/questions/401304/active-ftp-client-blocked-by-windows-firewall-on-windows-7

Basically the solution is to go to Firewall advanced settings, and create a new inbound rule. Select Custom Rule. I applied it to All Programs (since I still don't know how to select a .Net Core app). I used protocol type: TCP, local port: All Ports, and remote port: Specific Ports 20.

The idea is that you initiate the connection on TCP port 20, and then the resulting inbound traffic is pointed at some arbitrary port, but you can determine that it is an FTP response due to the fact that the remote port is TCP port 20. So instead of opening a huge range of local ports, you open all local ports but only for a single remote port.

I will leave this open in case somebody has an answer that will help me allow the entire application, but this is a good enough solution otherwise.

Gian Paolo
  • 4,161
  • 4
  • 16
  • 34
Dave Smash
  • 2,941
  • 1
  • 18
  • 38
  • There's nothing preventing the attacker from using remote port 20, allowing it to target any port/listening application on your machine. It's almost as if you have turned the firewall off completely. – Martin Prikryl Dec 17 '19 at 19:00
  • Well, it's only like I turned the firewall off completely if they know or guess to use remote port 20... but I take your point. I like your passive FTP approach better than this one. – Dave Smash Dec 17 '19 at 21:30
  • That's why I wrote "almost". It's not difficult for an attacker to recognise that your main connection is FTP. Then the port 20 is easy to guess. And even if not, would you use "20" as your account password? - It's an equivalent in terms of security. – Martin Prikryl Dec 18 '19 at 07:06