Re: [Zope] FTP server hangs on ls, put, get, ...
On Tue, 30 Sep 2003 15:02:39 -0400, Paul Winkler <pw_lists@slinkp.com> is reputed to have said:
Is the server behind a firewall? I've never been able to get ftp working through a firewall.
Yes, it is. I've got Zope's FTP running on 8021 and that port in the firewall is open. Hmmm... I just tried turning off the firewall entirely, and FTP works. So maybe it's a firewall issue and not a Zope issue after all. My commercial service provider for a different Zope site I manage (Zettai.net) has FTP working, and they're very security conscious, so they must have figured out how to make it work. If anyone listening can tell me what firewall rules I'll need, I'd be grateful. Since it's no longer a Zope-specific issue, maybe you should just email me off-list. Thanks, ..Ian Beatty -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- Dr. Ian Beatty webmaster@physics.umass.edu Webmaster, Department of Physics voice: 413.545.9483 Univ. of Massachusetts fax: 413.545.4884 Amherst, MA 01003-4525 USA http://www.physics.umass.edu/ -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- --
On Wed, Oct 01, 2003 at 10:33:43AM -0400, Ian Beatty wrote:
On Tue, 30 Sep 2003 15:02:39 -0400, Paul Winkler <pw_lists@slinkp.com> is reputed to have said:
Is the server behind a firewall? I've never been able to get ftp working through a firewall.
Yes, it is. I've got Zope's FTP running on 8021 and that port in the firewall is open.
Hmmm... I just tried turning off the firewall entirely, and FTP works. So maybe it's a firewall issue and not a Zope issue after all. My commercial service provider for a different Zope site I manage (Zettai.net) has FTP working, and they're very security conscious, so they must have figured out how to make it work.
If anyone listening can tell me what firewall rules I'll need, I'd be grateful. Since it's no longer a Zope-specific issue, maybe you should just email me off-list.
Well, I think this is relevant to zope... I'd be very curious to know what zettai does since I've never been able to get it to work. I seem to recall that my problems were compounded by the address in question being NATted. Don't remember for sure. The problem is that ftp is a stupid protocol that uses two ports, and you never know ahead of time what the second port is going to be, so you can't tell the firewall what port(s) to leave open for ftp. Some people suggest "passive mode" on the client but that doesn't help: it just means that the client, not the server, determines what the second port will be. This document may help: http://slacksite.com/other/ftp.html -- Paul Winkler http://www.slinkp.com Look! Up in the sky! It's POSITRONICMEGAPOODLE TEACHER TAMBOURINE! (random hero from isometric.spaceninja.com)
On Wednesday 01 October 2003 19:02, Paul Winkler wrote:
On Wed, Oct 01, 2003 at 10:33:43AM -0400, Ian Beatty wrote:
On Tue, 30 Sep 2003 15:02:39 -0400, Paul Winkler <pw_lists@slinkp.com> is
reputed to have said:
Is the server behind a firewall? I've never been able to get ftp working through a firewall.
Yes, it is. I've got Zope's FTP running on 8021 and that port in the firewall is open.
Hmmm... I just tried turning off the firewall entirely, and FTP works. So maybe it's a firewall issue and not a Zope issue after all. My commercial service provider for a different Zope site I manage (Zettai.net) has FTP working, and they're very security conscious, so they must have figured out how to make it work.
If anyone listening can tell me what firewall rules I'll need, I'd be grateful. Since it's no longer a Zope-specific issue, maybe you should just email me off-list.
Well, I think this is relevant to zope... I'd be very curious to know what zettai does since I've never been able to get it to work. I seem to recall that my problems were compounded by the address in question being NATted. Don't remember for sure.
The problem is that ftp is a stupid protocol that uses two ports, and you never know ahead of time what the second port is going to be, so you can't tell the firewall what port(s) to leave open for ftp. Some people suggest "passive mode" on the client but that doesn't help: it just means that the client, not the server, determines what the second port will be.
This document may help: http://slacksite.com/other/ftp.html
The description is correct (FTP uses several ports) and the usual solution involves an FT proxy in conjunction with a range of ports that are allowed for its use. Thus you need: - firewall that allows connecting to ports 20, 21 and some other range (lets say 55000-58000) - an FTP proxy that is told to use this extra range for its connections. - possibly a port redirection to the proxy And yes, FTP is a stupid (and insecure) protocol... -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-1-920 4904
participants (3)
-
Ian Beatty -
Paul Winkler -
Robert Segall