[Zope-dev] ZServer Ftp Active mode through firewall

[Kent Polk]

I believe we discovered a problem with ZServer's ftp server.
(Zope 2.1.6)

I posted the following to the collector:
http://classic.zope.org:8080/Collector/1257/view

Has anyone else seen this problem? :

----------------------
It appears that ZServer's active ftp mode may be broken, but probably 
is only noticed when used in conjunction with a firewall.  Ftp 
Passive mode operates as expected and active mode operates as long
as there is no firewall. 

Observations (Active mode):
- client connects, instructs server regarding data port to use.
- server appears to never send port 20 reply to client, which is
  required by the firewall to know that the data port needs to be
  opened.
- client waits on data port. If no firewall, the connection is
  made. If firewall is blocking high port numbers, the firewall 
  never is instructed to open the data port which is indicated by 
  the server port 20 response (that is never sent), so no connection
  is made.

I saw a number of discussions regarding this topic that indicated
that improper DNS configuration was causing the problem. However,
this is not the problem in our case. We first noticed that all
passive (PASV) mode ftp clients worked correctly, then noticed that
all ftp clients on the same subnet or outside the firewall worked
correctly, then noticed that active clients inside the firewall
were never receiving the port 20 response and that the firewall
was blocking the data port from the server.

Comments?