Re: FTP question

From: Olivier D (olivier@drexdottmfweb.nl)
Date: 02/05/03 

From: "Olivier D" <olivier@drexdottmfweb.nl>
Date: Wed, 05 Feb 2003 20:57:11 GMT

On Tue, 04 Feb 2003 18:31:04 +0000, Whoever illuminated us with the
following:

> On Tue, 4 Feb 2003, Olivier D wrote:
>
>>
>> "Whoever" <nobody@devnull.none> wrote in message
>> news:Pine.LNX.4.44.0302031421580.6491-100000@c941211-a...
>> > On Mon, 3 Feb 2003, Olivier wrote:
>> >
>> > >
>> > > "Whoever" <nobody@devnull.none> wrote in message
>> > > news:Pine.LNX.4.44.0302022319330.4369-100000@c941211-a...
>> > > > On Sat, 1 Feb 2003, Olivier D wrote:
>> > > >
>> > > > >
>> > > > > "Allen Kistler" <ackistler@yahoo.com> wrote in message
>> > > > > news:RyF_9.740$HG6.296094@newssrv26.news.prodigy.com...
>> > > > > > Olivier D wrote:
>> > > > > > > I have an FTP-problem that puzzles me. I have two systems behind
>> a
>> > > > > firewall
>> > > > > > > (Clarkconnect 1.2), one RedHat 8.0, the other (don't laugh)
>> Win2k.
>> > > With
>> > > > > > > Win2k I can FTP to a (firewalled) ftp-server (part of a
>> > > Win2k-domain)
>> > > > > and
>> > > > > > > up/download data. With RedHat, I can log in with both gFTP and
>> > > ncftp,
>> > > > > but I
>> > > > > > > can /only/ transfer data with ncftp (gftp produces a timeout).
>> Both
>> > > > > machines
>> > > > > > > have zero firewall (thats done by the Clarkconnect-linux
>> machine; I
>> > > > > already
>> > > > > > > checked the firewall settings on both machines).
>> > > > > > >
>> > > > > > > [snip]
>> > > > > >
>> > > > > > Probably the difference is active ftp vs. passive ftp. Windows
>> > > command
>> > > > > > line ftp uses active ftp. IE with an ftp url uses passive ftp.
>> You
>> > > can
>> > > > > > use those facts to test active vs. passive from your W2k machine.
>> > > Just
>> > > > > > try to log in somewhere and get a directory.
>> > > > > >
>> > > > >
>> > > > > Dear Allen,
>> > > > >
>> > > > >
>> > > > > I've talked to the admin of the ftp-server, and only /active/
>> transfer
>> > > works
>> > > > > (because except for port 21, the ftp-server is completely
>> firewalled). I
>> > > > > know ncftp automatically switches to whichever works, so that would
>> be
>> > > > > active transfer mode. gFtp, however, doesn't work when I switch off
>> > > passive
>> > > > > transfer mode (and ofcourse, doesn't work either when I /do/ use
>> > > passive)
>> > > > >
>> > > > > I tried using IE-ftp, but as I said, the ftp-server is firewalled
>> for
>> > > all
>> > > > > ports except 21, so no luck there.
>> > > > >
>> > > >
>> > > > OK, so the admin of the ftp-server does not know what he is talking
>> about.
>> > > >
>> > > > FTP uses port 21 for the command channel. Data transfers use port 20
>> > > > (irrespective of whether it is passive or active).
>> > > >
>> > > > Now whether active or passive works is more likely to be an issue with
>> > > > YOUR (the client) firewall -- assuming you are behind a NAT firewall.
>> > > >
>> > > > So, gather and post more info.
>> > > >
>> > >
>> > > About port 20, thats not what I read, although I do recall something
>> > > similar. But it could of course still be the case.
>> > > That being the case, maybe you can tell me why my
>> > > Clarkconnect-NAT-IPTables-filtering firewall will only (succesfully)
>> direct
>> > > the traffic to the Win2k-box and the RedHat-box when using ncftp, but
>> not to
>> > > the RedHat-box with gFtp. II haven't set up any specific port-forwarding
>> > > (Mandrake 9.0, dualbooted on the Win2k box has the same problem). I
>> would
>> > > guess that has to do with the way the /client/ handles the (incoming)
>> > > traffic, since only gFtp won't work, while ncftp and WS-Ftp (on the
>> > > Win2k-box) do work. The RedHat-box has it's firewall disabled, and so
>> does
>> > > the Win2k-box (and the Mandrake-box). I'm still puzzled...
>> > >
>> >
>> > But according to your own posting, it is nothing to do with which box
>> > (Linux or Win2K) is the client, or the firewall on the Linux box --
>> > according to you ncftp works on the Linux box and you have a client that
>> > works on the Win2k box. Therfore, we can conclude that active ftp is
>> > working and the firewall are not an issue.
>> >
>> > According to you, it is generally an issue of active vs. passive ftp,
>> > with the unexplained exception that gFtp does not work. Here is another
>> > thing to check: are you sure you don't have some kind of proxy that ncftp
>> > is using and gFtp is not using?
>> >
>> > In a NAT environment, with active ftp, the NAT box must inspect the ftp
>> > control channel and when the packets arrive from port 20 (the data
>> > channel), to the port defined in the ftp "PORT" command, accept the
>> > packets and re-direct them to the correct client. With active ftp, the
>> > connection from port 20 is made by the server. Your NAT box must be
>> > capable of supporting this. Proxy servers can also be used to solve this
>> > problem.
>> >
>> > On the other hand, passive ftp is more difficult for the ftp-server's
>> > firewall, since the client initiates the data connection -- the
>> > ftp-server's firewall must inspect the data channel and allow the
>> > data connection according to the instructions (the "PORT" command) in the
>> > control channel.
>> >
>>
>> Well, I think we agree on a lot. The firewall can be eliminated as the
>> problem, since it routed the traffic to the Win2k-box and ncftp correctly. I
>> guess I am indeed looking for some sort of hidden setting that ncftp uses
>> adn gftp doesn't (or the other way around). Maybe it's just something with
>> gftp. Do you happen to know a good (Gnome-compliant) ftp-client or where to
>> go to find one?
>
> Quite frankly, on Linux, I find that using command line clients works very
> well. Have you looked at "wget"? This is a very powerful client, able to
> download from either ftp or http sites. It can download recursively.
>
> Quite often, what I will do is use my web browser (Galeon) to navigate to
> the appropriate point in the ftp site, then copy the URL into a
> command-line "wget" command. Works well for me.
>
>
>>
>>
>> thanx
>>
>>
>>

Thanx, everyone who wrote to come to my aid. Because, you guessed it,
problem solved. I /thought/ that I had the most recent version of gFtp,
but apparently I had 2.0.13 while 2.0.14 was already available . So I
upgraded. And voila! Problem solved! Unbelievable. (That'll teach
me to /think/ ;-) Maybe, I did stumble in some bug. I haven't found it
in the ChangeLog, so probably I made some mistake, somewhere. We'll never
know, I guess.

Thanx again, everyone, I've learned a lot!

Relevant Pages

  • Re: FTP question
    ... With RedHat, I can log in with both gFTP and ncftp, ... >> checked the firewall settings on both machines). ... > Probably the difference is active ftp vs. passive ftp. ...
    (comp.os.linux.security)
  • Re: Why do I need a software firewall?
    ... >> the user regardless of the settings in the Windows Firewall ... > of the NAT device. ... >> NAT does not break FTP, if you think so, then you know little about ...
    (comp.security.misc)
  • Re: Passive FTP on PPPoE connection
    ... get private but other times you got the public IP address from RRAS. ... > Since a couple of months I've been using IIS 6 as my FTP server on a PPPoE ... > firewall settings, so in those cases it worked like it should. ... > for the basic firewall and for NAT. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: A note about firewalls and ftp servers.
    ... A note about firewalls and ftp servers. ... Note that if your firewall is NAT, and your ftp server is on an internal ... server connection thru a NAT firewall and into a local computer behind a NAT ...
    (Focus-Linux)
  • Passive FTP on PPPoE connection
    ... Since a couple of months I've been using IIS 6 as my FTP server on a PPPoE ... RRAS would then automatically arrange NAT and firewall ... My current setup is like this: The server obtains a public IP using PPPoE ...
    (microsoft.public.inetserver.iis.ftp)