Hi, I have seen many related posts on ftp problems before, but none seem to be specific to my problem. It has really got be stumped! I am FTPing from my box on a local network, though a gateway/firewall/masquerading box to the internet, through to a server running zope with ftp on port 21. The server is running a ipfilter firewall, letting all connections out, but only port 80,21,20,443 in. The gateway box is linux running an ipchains firewall which lets every connectin out, and it has the ftp masquerading kernel module loaded. The problem I have is that my ftp client (linux client, running in passive mode), will connect and authenticate to the zope ftp server, but I can't do anything else. If I turn the firewall off on our remote server, then ftp works fine. However, if I turn the firewall back on, but ftp from our gateway rather than my box behind the gateway, then ftp also works fine. Also, if I turn off the zope server, and run a standard ftpd daemon on port 21 on our remote server, I can ftp to it fine with the firewall turned on. So the problem is specific to zope+firewall+masquerading. Remove either one of those and it works. It makes be think that the ftp server in zope doesn't work in passive mode as it should? Any ideas? -- Terry Kerr (terry@adroit.net) Adroit Internet Solutions (www.adroit.net) Phone: +61 3 9563 4461 Fax: +61 3 9563 3856 ICQ: 79303381
Hi Terry On Fri, Aug 10, 2001 at 10:23:32AM +1000, Terry Kerr wrote:
Hi,
[...]
I am FTPing from my box on a local network, though a gateway/firewall/masquerading box to the internet, through to a server running zope with ftp on port 21. The server is running a ipfilter firewall, letting all connections out, but only port 80,21,20,443 in. The gateway box is linux running an ipchains firewall which lets every connectin out, and it has the ftp masquerading kernel module loaded.
Here is the key. the zope server ipfilter only lets specific ports in.
The problem I have is that my ftp client (linux client, running in passive mode), will connect and authenticate to the zope ftp server, but I can't do anything else. If I turn the firewall off on our remote server, then ftp works fine. However, if I turn the firewall back on, but ftp from our gateway rather than my box behind the gateway, then ftp also works fine. Also, if I turn off the zope server, and run a standard ftpd daemon on port 21 on our remote server, I can ftp to it fine with the firewall turned on.
So the problem is specific to zope+firewall+masquerading. Remove either one of those and it works.
It makes be think that the ftp server in zope doesn't work in passive mode as it should?
Passive mode requires that the FTP server let in any connections on high ports because your client will attempt to connect to a high port to get data (such as file listings and file contents). The weird part is that the other ftp daemon should accept connections where zope wouldn't. Are you sure you are really using passive mode all the time? Check with tcpdump or some other eavesdroping facility which connections are being attempted. In an active mode ftp session you should see as follow: * your ftp client starts a tcp connection to port 21 of the ftp server, authenticates and issues a request, such as file listing or transfer. * the ftp server starts a tcp connection (usually from port 21) to a high port on your machine (on a masqueraded box, that only works if you have ftp module loaded) to transfer the data from the request. In passive mode what happens is. * your ftp client starts a tcp connection to port 21 of the ftp server, authenticates and issues a request, such as file listing or transfer. * your ftp client starts a tcp connection to a high port on the server to receive the data. check out where packets are actually getting to and you will know who is blocking the traffic. Regards, Leo
participants (2)
-
Leonardo Rochael Almeida -
Terry Kerr