ftp windoze <- fc3 works fine, ftp fc3 <- fc3 doesn't work? (for me)

Mon Mar 14 15:33:15 UTC 2005

On Mon, 2005-03-14 at 15:06, Bob Brennan wrote:
> On Mon, 14 Mar 2005 14:23:24 +0000, Paul Howarth <paul at city-fan.org> wrote:
> > Bob Brennan wrote:
> > >>>230 Anonymous login ok, restrictions apply.
> > >>>Remote system type is UNIX.
> > >>>Using binary mode to transfer files.
> > >>
> > >>If, at this point, you use the command "pass off", what happens?
> > >
> > >
> > > BINGO! all commands now work. I need to now research proFTP
> > > configuration, I believe there is a setting regarding PASSIVE MODE.
> > > Let's assume Windoze ftp program runs in passive mode by default(?)
> > 
> > On the contrary, you have turned OFF passive mode, and *that's* the
> > default on Windows.
> 
> yes - you caught me typing without brain-in-gear on that one.
> 
> > > Any security reasons to *not* set up the ftp server to default to
> > > passive mode, or to accept passive mode connections (whichever the
> > > config option is)? I suppse it's not a hardship to tell an FC3 ftp-er
> > > (s)he needs to set passive mode on connection, I can even put it in
> > > the Welcome message. (not that anyone ever reads it...). Setting
> > > "binary" seems to be a better mode then ASCII too, which seems to be a
> > > bad default.
> > 
> > I suspect that there is a problem with NAT at either the client or
> > server end. A special ftp-aware address-conversion filter is needed in
> > the firewall setup to make NAT with ftp work properly.
> 
> An ADSL router does the NAT conversion for me but since I run the main
> server on 10.0.0.10 and an emergency backup server on 10.0.0.11 I
> leave all ports open on the router, switch the NAT setting to "all
> incoming ports go to 10.0.0.[the one I want], and do all firewalling
> on the FC3 box(es).
> 
> But since "pass off" makes FC3 ftp work and Windoze ftp works all the
> time surely neither NAT nor firewalling can be the issue(?)

On the contrary it indicates that they are. The difference being that in
passive mode the data transfer takes place between high number ports
with the 'normal' ftp port (21) acting as a control. It is almost
certain that your firewall/nat setup is not handling these correctly. In
the active mode (passive off) the data is handled differently. Have a
search on the web for passive ftp and firewalls there are a lot of
tutorials about it.
> 
> > >>>ftp> ls
> > >>>227 Entering Passive Mode (xx,xxx,xxx,xx,xxx,xxx).
> > >>>ftp: connect: No route to host
> > >>
> > >>Is there a layer of network address translation going on between client
> > >>and server?
> > >
> > >
> > > The symptoms are the same using an identical FC3 machine on the same
> > > LAN, from machine 10.0.0.11 to machine 10.0.0.10
> > 
> > If you're actually using addresses 10.x.x.x, you could show the
> > addresses in use in the ftp dialogs instead of "x"ing them out. If the
> > address shown as "xxx"s in:
> > 
> > 227 Entering Passive Mode (xx,xxx,xxx,xx,xxx,xxx)
> > 
> > does not look like a 10.x.x.x address then the server does not think
> > it's talking to a machine at 10.x.x.x and hence sends the response to
> > the wrong place.
> 
> At the moment I am ftping the server from miles-away hence the x's
> would have revealed the real external IP of my server. The point I was
> trying to make with the tests from 10.0.0.11 is that it made no
> difference there or remotely - Windoze worked but FC3 would not.

I would say that the Windows firewall has the high number ports open,
but the FC3 box being more secure does not.  
> 
> But all will be well now once I configure proFTP to accept passive
> mode (but I won't do that if it breaks the Windoze access) and/or warn
> the user to use passive mode and binary just after connecting. At
> least Linux users will be savy enough (one hopes) to know what
> entering "pass off" means.

ISTR that proFTP does have passive mode active out of the box, the pass
off is telling it to use active mode.

Rob