[Tfug] ftp problems

Choprboy choprboy at dakotacom.net
Fri May 2 13:49:25 MST 2008


There are 2 different things that need to be looked at/fixed. Both are related 
to the same thing. First, are all of these FTP servers actually directly 
connected, or are some NAT'd behind their own firewalls? The biggest problem 
is with broken connection tracking on one or the other firewall which doesn;t 
follow the FTP stream correctly. FTP, unlike most all other protocols, uses 2 
network streams, a command stream to the well known port 21, and a data 
stream to an arbitrary port number. The active/passive mode determines which 
side initiates this second stream. The connection tracking on the firewall 
needs to snoop the command stream looking for the requests to open the data 
stream and the dest NAT the appropriate port when the connection comes in. 
Usually, when some FTP work, and some doesn't, in certain modes, it i becaus 
both sides are behind firewalls, and 1 side is not doing connection tracking.

Second, I have not seen a Linux FTP utility that does not do both active and 
passive modes... The command is the same, "passive" or "pasv". The command 
toggles passive mode on/off, just repeat the command.

Adrian



On Friday 02 May 2008 08:11, Jim Secan wrote:
> I'm having sporadic problems with ftp (fetching files from remote servers)
> that may be a problem caused by my ditz ISP.  The primary sympton is that,
> for reasons unknown, all ftp that I attempt to certain sites from a Linux
> (CentOS) box hang when I get the point where data (files or directory
> lists) are to be transferred back to me.  All of these are in passive mode,
> which appears to be the only mode that the Linux version of ftp "speaks."
> When I go to my Solaris box, which has an older ftp that doesn't know about
> passive mode, things work fine.  Things will work fine for a week or more,
> and then will stop working again.  This is to different servers in very
> different locations, so I suspect the problem is at my end somewhere.
> There have been no changes to any of my systems.  [The reason I suspect my
> ISP is that an ISP-owned firewall/router sits in my office over which I
> have no/zip/nada control.  They have four times now changes rules and
> firmware on this beast without notice which caused problems for me.  I'm
> solving that particular problem by ditching this ISP once their contract is
> up.]
>
> So, is this a familiar problem?  I've checked port blocking, and both ftp
> ports appear to be OK on the firewall, at least as far as I can tell by my
> limited view into the firewall settings.  The ISP has been no/zip/nada help
> with this.
>
> Jim
> *---------------------*-------------------------------*
>
> | Jim Secan           | Northwest Research Assoc, Inc |
> | (jim at nwra.com)      | 2455 E. Speedway, Suite 204   |
> | (520) 319-7773      | Tucson, Arizona 85719         |
>
> *---------------------*-------------------------------*
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org




More information about the tfug mailing list