ftp windoze <- fc3 works fine, ftp fc3 <- fc3 doesn't work? (for me)

Mon Mar 14 16:04:37 UTC 2005

On Mon, 14 Mar 2005 15:33:15 +0000, Robert Slade
<fedora at bathnetworks.com> wrote:
> On Mon, 2005-03-14 at 15:06, Bob Brennan wrote:
> > On Mon, 14 Mar 2005 14:23:24 +0000, Paul Howarth <paul at city-fan.org> wrote:
> > > Bob Brennan wrote:
> > > >>>230 Anonymous login ok, restrictions apply.
> > > >>>Remote system type is UNIX.
> > > >>>Using binary mode to transfer files.
> > > >>
> > > >>If, at this point, you use the command "pass off", what happens?
> > > >
> > > >
> > > > BINGO! all commands now work. I need to now research proFTP
> > > > configuration, I believe there is a setting regarding PASSIVE MODE.
> > > > Let's assume Windoze ftp program runs in passive mode by default(?)
> > >
> > > On the contrary, you have turned OFF passive mode, and *that's* the
> > > default on Windows.
> >
> > yes - you caught me typing without brain-in-gear on that one.
> >
> > > > Any security reasons to *not* set up the ftp server to default to
> > > > passive mode, or to accept passive mode connections (whichever the
> > > > config option is)? I suppse it's not a hardship to tell an FC3 ftp-er
> > > > (s)he needs to set passive mode on connection, I can even put it in
> > > > the Welcome message. (not that anyone ever reads it...). Setting
> > > > "binary" seems to be a better mode then ASCII too, which seems to be a
> > > > bad default.
> > >
> > > I suspect that there is a problem with NAT at either the client or
> > > server end. A special ftp-aware address-conversion filter is needed in
> > > the firewall setup to make NAT with ftp work properly.
> >
> > An ADSL router does the NAT conversion for me but since I run the main
> > server on 10.0.0.10 and an emergency backup server on 10.0.0.11 I
> > leave all ports open on the router, switch the NAT setting to "all
> > incoming ports go to 10.0.0.[the one I want], and do all firewalling
> > on the FC3 box(es).
> >
> > But since "pass off" makes FC3 ftp work and Windoze ftp works all the
> > time surely neither NAT nor firewalling can be the issue(?)
> 
> On the contrary it indicates that they are. The difference being that in
> passive mode the data transfer takes place between high number ports
> with the 'normal' ftp port (21) acting as a control. It is almost
> certain that your firewall/nat setup is not handling these correctly. In
> the active mode (passive off) the data is handled differently. Have a
> search on the web for passive ftp and firewalls there are a lot of
> tutorials about it.
> >
> > > >>>ftp> ls
> > > >>>227 Entering Passive Mode (xx,xxx,xxx,xx,xxx,xxx).
> > > >>>ftp: connect: No route to host
> > > >>
> > > >>Is there a layer of network address translation going on between client
> > > >>and server?
> > > >
> > > >
> > > > The symptoms are the same using an identical FC3 machine on the same
> > > > LAN, from machine 10.0.0.11 to machine 10.0.0.10
> > >
> > > If you're actually using addresses 10.x.x.x, you could show the
> > > addresses in use in the ftp dialogs instead of "x"ing them out. If the
> > > address shown as "xxx"s in:
> > >
> > > 227 Entering Passive Mode (xx,xxx,xxx,xx,xxx,xxx)
> > >
> > > does not look like a 10.x.x.x address then the server does not think
> > > it's talking to a machine at 10.x.x.x and hence sends the response to
> > > the wrong place.
> >
> > At the moment I am ftping the server from miles-away hence the x's
> > would have revealed the real external IP of my server. The point I was
> > trying to make with the tests from 10.0.0.11 is that it made no
> > difference there or remotely - Windoze worked but FC3 would not.
> 
> I would say that the Windows firewall has the high number ports open,
> but the FC3 box being more secure does not.
> >
> > But all will be well now once I configure proFTP to accept passive
> > mode (but I won't do that if it breaks the Windoze access) and/or warn
> > the user to use passive mode and binary just after connecting. At
> > least Linux users will be savy enough (one hopes) to know what
> > entering "pass off" means.
> 
> ISTR that proFTP does have passive mode active out of the box, the pass
> off is telling it to use active mode.
> 
> Rob

Excellent! Thanks Rob - once one knows what to Google one can be enlightened...

http://slacksite.com/other/ftp.html is a good tutorial.

That answers all previous questions - but opens a new one, at least in
my mind. Is it more secure to restrict ftp to Active mode only (hope I
got it right way round this time Paul!) or to open all ports > 1024 so
that Passive mode can be used? I always thought having ports open like
that is a Bad Idea. I also note that the above reference link says
that most ftp servers allow the admin to specify a _range_ of
underprivilaged(?) ports to be used, presumably one must then open the
firewall to those ports.

The document seems to say that Passive mode is there only to support
clients that can't open their own ports>1024, which is an Active Mode
requirement. I'm not sure if I'm more or less confused now than before
- other than now knowing what the problem(s) is and how to get around
it.

bob