Zope, FTP, and Remote Access Alternatives
Hi. An increasing number of our associates are experiencing NAT related FTP issues with Zope. A second emerging problem is a requirement in some environments to use SSH/Secure FTP for server access. We have not had good results in surmounting these issues, sometimes passive FTP is a solution, sometimes not, moving one side out of the firewall is not an option usually, and we cannot open a large hole in our firewall to open a randomly chosen data port (assuming I'm understanding the problem correctly). SSH/SFTP only seems to add to the complexity. We have had mixed results with WebDAV. The external Editor product works great, it is difficult to convince our Dreamweaver-centric developers even to try it. Are these issues being considered in upcoming versions of Zope? What about alternatives to FTP file access? Also, why do these NAT- realated problems not seem to be issues with standard FTP servers like proftpd or the MS FTP server, which we use for our static websites? Many questions... Any general thoughts on handling this would be appreciated. Thanks. Harlow Pinson Indepth Learning Email: hpinson@indepthl.com Web: http://www.indepthl.com Voice: 505-994-2135 FAX: 208-475-7678
On Thu, May 01, 2003 at 12:03:04PM -0600, hpinson@indepthl.com wrote:
Hi. An increasing number of our associates are experiencing NAT related FTP issues with Zope.
Did you ever get any responses to this? or find a solution? I'm finding that I need ftp access to a zope server I work on and I need to do it via ssh tunneling, and I can't get it to work. Based on your message I wonder if it's because I'm connecting to a NATted IP. what were the problems you had? you never really said. I find that I can make a connection but "ls" either gives connection refused or never returns. In the examples below, I use 99.99.99.99 and 88.88.88.88 as stand-ins for the actual IPs i'm using. First I try a server that I access via a NATted address. I have this in my ~/.ssh/config (with the real remote IP of course): Host 88.88.88.88 LocalForward 18021 localhost:8021 now i can make an ftp connection to localhost on 18021: $ ftp -p localhost 18021 Connected to localhost. 220 dev-zope-knox01 FTP server (Medusa Async V1.21 [experimental]) ready. 500 'AUTH': command not understood. SSL not available 331 Password required. 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> user (username) paulw 331 Password required. Password: 230 Login successful. ftp> ls 227 Entering Passive Mode (127,0,0,1,178,158) ftp: connect: Connection refused ftp> Two odd things there: 1) Why do I get a "Login successful" before I've provided a username? 2) Why do I get "Connection refused" when doing an ls? OK, so I try another system. This one uses a non-NATted IP. In this case I get prompted for username right away, but ls never returns. First I set up the tunnel: ssh -L 18021:99.99.99.99:8721 99.99.99.99 $ ftp -p localhost 18021 Connected to localhost (127.0.0.1). 220 prod-realserver-knox01 FTP server (Medusa Async V1.21 [experimental]) ready. Name (localhost:pwinkler): paulw 331 Password required. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (99,99,99,99,165,173) ftp: connect: Connection timed out ftp> -- Paul Winkler home: http://www.slinkp.com "Muppet Labs, where the future is made - today!"
On Tue, May 27, 2003 at 08:22:56AM -0400, Paul Winkler wrote: (snip)
I find that I can make a connection but "ls" either gives connection refused or never returns.
Duh. both of these connections go through firewalls. The firewalls only allow specific ports to be used, so neither a PASV nor a PORT command from the client will work. http://www.dreamwvr.com/ssh-faq/ssh-faq-4.html#ss4.8 "This ... will not work through a firewall." So is it completely impossible to tunnel ftp over ssh through a firewall? Bloody hell. -- Paul Winkler http://www.slinkp.com
participants (2)
-
hpinson@indepthl.com -
Paul Winkler