Port 21 Seems Open?

[tzuk]

The following information may come in handy. It certainly would have
saved me a couple of days that I spent reinstalling my system, if I had known this in advance.

If someone using Windows tells you that your computer exposes port 21, and that they can access this port -- not through FTP, but by running "telnet yourcomputer 21" -- it doesn't necessarily mean you have port 21 open.

I have experienced the behavior reported in this post.

This is the gist of it:

Someone else reports they can connect to your port 21, but when you try
"telnet localhost 21" to connect to your own computer, the system says "Connection failed." Yet if you use a second computer on your network and try telnetting from there to the first computer, you get a mysterious connection that closes after a few seconds.

And programs that display Internet usage show nothing on the first computer is serving requests on port 21.

This may seem like a really clever malicious software rootkit, but in fact, it isn't.

What happens is that the Application Layer Gateway (ALG) service on the computer that is initiating the connection is faking a succesful connection on port 21.

The first computer that is supposed to respond to the connection, has never responded at all. It has no program running on port 21, and furthermore, the firewall blocks access on that port.

It is only the telnet on the calling computer that is being fooled to believe that a connection has been made. If the calling computer runs with the ALG service disabled, this behavior does not occur.