[Zope] Cannot get file listing via Zope FTP on Windows 2000 Server

Michael LaPera michael@lapera.com
Fri, 7 Feb 2003 10:21:26 -0500 

Sascha,

Thank you....

Your information is VERY helpful and you are absolutely correct in your 
assumptions.

I am behind a double Firewall (using NAT at the router and workstation) 
and it makes sense that they would be using NAT to pass through the IP 
address.  I will try out your suggestions.

Thank you again,
Michael

On Thursday, February 6, 2003, at 04:33  PM, Sascha Welter wrote:

> Am Dienstag, 04.02.03, um 20:23 Uhr (Europe/Zurich) schrieb Michael 
> LaPera:
>
>> According to my FTP log my FTP clients can login just fine, but 
>> cannot get a file listing. I get a dialog that says "Connection 
>> refused (ECONNREFUSEDErr) (-3260)".  The user that I am logging in as 
>> has Full access to the entire site.  There IT staff is redirecting 
>> traffic from an external IP address to an internal IP address (they 
>> assure me that there is no port filtering/fire-walling going on).  I 
>> have tried active and passive ftp.  The port is set to 8021. I can 
>> see the port from my machine.
>
> Michael,
>
> ftp is not behaving when both sides are behind Firewalls and NAT. They 
> are using NAT, and I guess you are behind a firewall. (NAT - Network 
> Address Translation -- is the "redirecting" thingy their IT staff is 
> using, which in this case has the same effect as a firewall). The 
> problem is that one of the sides has to open an arbitrary port and 
> tell the other side that port number to connect to. 8021 is just the 
> "command" port of ftp.
>
> If the client is behind a firewall, they have to use passive mode, 
> which means the server has to open that "other" port. If the client is 
> on active mode, this means she is opening the "other" port.
>
> What you experience is that both sides are behind a firewall or a NAT. 
> Then the ftp "command channel" gets through (you can type commands and 
> get replies for them), but the data connection will be blocked by 
> whatever side has the responsibility to open an "arbitrary" port. This 
> is because the NAT device does not know which machine to forward your 
> randomly chosen port for the data connection to. And the firewall 
> (that I guess you are behind) does not allow just any connection to a 
> random port.
>
> ftp is broken and unsafe.
>
> Suggestions:
> - move one side out of the firewall/NAT (not really)
> - shoot a big enough hole through your firewall, wherever your ftp 
> client is opening those randomly chosen ports (IIRC they're often in 
> the range 10000-20000 but I could be totally off) (not really either)
> - maybe a ftp proxy "inbetween" the two would work, but I don't really 
> know
> - use WebDAV, preferably through https, or through an ssh tunnel (but 
> the ssh tunnel is probably not possibly to a Windows box)
>
> I hope this helped (but I don't really think it did).
>
> Regards,
>
> Sascha
>
>
> -- 
> Sascha Welter           <mailto:welter@network-ag.com>
> Network AG              Programmer, Sysop, IT-Support, BOFH
> Ruetistrasse 17         Tel. 01 755 40 20
> CH-8952 Schlieren       <http://www.network-ag.com>
> PGP/GPG ID: E0EAFC8A
> 067B 60E1 CB03 50CE D781  42E9 A583 AAF4 E0EA FC8A
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>