[Zope] Cannot get file listing via Zope FTP on Windows 2000 Server

Sascha Welter welter@network-ag.com
Thu, 6 Feb 2003 22:33:28 +0100 

Am Dienstag, 04.02.03, um 20:23 Uhr (Europe/Zurich) schrieb Michael 
LaPera:

> According to my FTP log my FTP clients can login just fine, but cannot 
> get a file listing. I get a dialog that says "Connection refused 
> (ECONNREFUSEDErr) (-3260)".  The user that I am logging in as has Full 
> access to the entire site.  There IT staff is redirecting traffic from 
> an external IP address to an internal IP address (they assure me that 
> there is no port filtering/fire-walling going on).  I have tried 
> active and passive ftp.  The port is set to 8021. I can see the port 
> from my machine.

Michael,

ftp is not behaving when both sides are behind Firewalls and NAT. They 
are using NAT, and I guess you are behind a firewall. (NAT - Network 
Address Translation -- is the "redirecting" thingy their IT staff is 
using, which in this case has the same effect as a firewall). The 
problem is that one of the sides has to open an arbitrary port and tell 
the other side that port number to connect to. 8021 is just the 
"command" port of ftp.

If the client is behind a firewall, they have to use passive mode, 
which means the server has to open that "other" port. If the client is 
on active mode, this means she is opening the "other" port.

What you experience is that both sides are behind a firewall or a NAT. 
Then the ftp "command channel" gets through (you can type commands and 
get replies for them), but the data connection will be blocked by 
whatever side has the responsibility to open an "arbitrary" port. This 
is because the NAT device does not know which machine to forward your 
randomly chosen port for the data connection to. And the firewall (that 
I guess you are behind) does not allow just any connection to a random 
port.

ftp is broken and unsafe.

Suggestions:
- move one side out of the firewall/NAT (not really)
- shoot a big enough hole through your firewall, wherever your ftp 
client is opening those randomly chosen ports (IIRC they're often in 
the range 10000-20000 but I could be totally off) (not really either)
- maybe a ftp proxy "inbetween" the two would work, but I don't really 
know
- use WebDAV, preferably through https, or through an ssh tunnel (but 
the ssh tunnel is probably not possibly to a Windows box)

I hope this helped (but I don't really think it did).

Regards,

Sascha


-- 
Sascha Welter           <mailto:welter@network-ag.com>
Network AG              Programmer, Sysop, IT-Support, BOFH
Ruetistrasse 17         Tel. 01 755 40 20
CH-8952 Schlieren       <http://www.network-ag.com>
PGP/GPG ID: E0EAFC8A
067B 60E1 CB03 50CE D781  42E9 A583 AAF4 E0EA FC8A