Recently I was troubleshooting a networking problem from my work, Windows notebook: an FTP server behind a firewall was not reachable. FTP is known to be a tricky protocol to get through firewalls (it opens a second connection on random ports), so I went straight into troubleshooting bottom up.

First step is to verify the control-connection. I usually test this by manually connecting to port 21 using netcat (or telnet). netcat reports that the connection is open, but shows no server-header. Normally one would assume that the firewall allows the connection, but there is something wrong with the FTP server. If only it would be that easy…

Even though the connection was reported “open”, a Wireshark capture contradicts this! I can only see an outgoing SYN packet, nothing coming back. There is no way that this connection was ever opened. To reproduce this:

  • pull out all network connections to the outside world
  • Make sure Windows still has a network active. I use the “host-only” network from VMware.
  • add a default route to a non-existent address:
    route add mask
  • try this:
    netcat -vv 21
  • observe that the connection is reported “open”, even though this is impossible

Apparently, this is caused by the wonderful Windows Firewall… Disabling the firewall in the control panel solved this issue.

Conclusion: Don’t trust what Windows tells you!