Re: is it impossible to tunnel ftp?

From: Darren Tucker (dtucker_at_dodgy.net.au)
Date: 10/21/03

• Next message: dkoleary_at_attbi.com: "Re: How can Putty load my public key generated with OpenSSH"
• Previous message: Darren Tucker: "Re: Slow password authentication"
• In reply to: Torbjorn Richt: "is it impossible to tunnel ftp?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 21 Oct 2003 12:15:58 GMT

In article <pan.2003.10.21.09.34.10.668001@algonet.se>,
Torbjorn Richt <tori@algonet.se> wrote:
>hi
>i have a firewall, iptables on linux redhat 9.
>behind it i have one ftp server(windows) and one webserver (windows).
>
>i have tried to make a SSH-tunnel to the ftp-server, tried both
>with putty on windows and with ssh on a FreeBSD like this:
>ssh -L 2121:ftp.server.ipnum:21 sshhostipnum
>
>the problem seems to be ftp-data, login works just fine, but
>when i print "ls" or anything else i get "500 Invalid PORT Command "
>
>it works from the ssh-shell to the ftp server.
>
>what am i doing wrong?

FTP needs a data port for returning data (eg the output of your "ls" or
the contents of a file). This connection is either server-to-client (in
the case of "active mode") or client-to-server ("passive mode"). In
active mode, the connection is from port 20 on the server to a port
specified by the client. In passive mode, it's from a random port
on the client to a random port specified by the server.[0]

Your port forward doesn't provide either (and it would ne difficult to
do).

You might be able to get it to work if your ssh client supports socks
(for OpenSSH this is DynamicForward, some other clients have a similar
capability). Set the client to use socks and passive mode.

[0] Hopefully I got those right, it's been a while since I looked at it.
Go read the FTP specs to be certain.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

• Next message: dkoleary_at_attbi.com: "Re: How can Putty load my public key generated with OpenSSH"
• Previous message: Darren Tucker: "Re: Slow password authentication"
• In reply to: Torbjorn Richt: "is it impossible to tunnel ftp?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Telnet/ftp problems SBS2000 ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ... (microsoft.public.windows.server.sbs) Re: Telnet/ftp problems SBS2000 ... the client became desperate so we had to find a ... the software communicates on port 308. ... So I don't really know if telnet or ftp ... the connection can be established ... (microsoft.public.windows.server.sbs) Re: Microsoft FTP Server problem on W2K? ... I have technical responsibility for this FTP implementation, ... Since PASV voids PORT, the client side ... connect to the server from" isn't implied by the text of the RFC. ... (microsoft.public.inetserver.iis.security) Re: ftp problem ... The remote end will have to have port 20 and 21 ... Check it with another ftp site to make sure. ... The remote FTP server is on a remote ... >> a client to be able to ftp out. ... (microsoft.public.windows.server.sbs) Re: iptables blocking ftp clients ... > I am running a zope FTP server on port 8021 on a host that is running ... > access the server fine, so there is no problem with the server. ... specific high port, namely 8021 - how else can they use your FTP service? ... ports for a _client_, not a server. ... (comp.os.linux.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint