| Author |
Message |
Kid
Guest
|
 Posted:
Thu Jan 13, 2005 9:02 pm Post subject:
Does firewall mix with ip in ftp pasv? |
|
|
Hello all,
It seems that some networks can't use passive ftp with our ftp-server.
My question is that:
When using passive ftp, does it matter if the CLIENT is behind a
firewall or not?
I have three different computer networks:
Network A contains:
A firewall on computer A:1.
A ftp-server (wu-ftp 2.6.2) on computer A:2 partly behind the
firewall.
Network B contains:
No firewall. A computer B:1
Network C contains:
A firewall. A computer C:1 behind the firewall.
B:1 have no problem fetching files from A:2 using passive ftp. It
connects to ftp-address ftp.A.com, which leads to the firewall A:1.
The firewall correctly directs this to A:2.
When B:1 issues a PASV command it gets:
227 Entering Passive Mode (A:2's IP,some,port)
Note that it's A:2's IP, the ftp-server.
When C:1 does the same thing the connection resets.
There is no problem logging in, but when it tries to fetch a file
using passive mode the connection is reset.
What happens is that when C:1 issues a PASV command it gets:
227 Entering Passive Mode (A:1's IP,some,port)
Note that it's A:1 IP, the firewall!!
The firewall probably doesn't let any communication through the port
(some high port), and resets the connections.
Who is responsible for writing A:1 or A:2 in the "227 Entering Passive
Mode" message? Is it possible that C's firewall changes A:2 to A:1, in
the 227 message, because the initial connection to ftp.A.com is to
A:1??
I know that the explaination of the problem isn't very clear.
I'm a newbie when it comes to network and firewalls, so pardon if the
question is silly.
Thanks for have reading my post this far!
Thankfull for any kind of help or hints.
/Kid |
|
| Back to top |
|
 |
henry
Guest
|
| Posted:
Fri Jan 14, 2005 1:56 am Post subject:
Re: Does firewall mix with ip in ftp pasv? |
|
|
If you are running an FTP server behind a firewall/NAT, AND the client
who is trying to connect is also behind NAT, it won't work. Put your FTP
server on a public IP or switch to sftp/scp(ssh protocol).
Kid wrote:
| Quote: | Hello all,
It seems that some networks can't use passive ftp with our ftp-server.
My question is that:
When using passive ftp, does it matter if the CLIENT is behind a
firewall or not?
I have three different computer networks:
Network A contains:
A firewall on computer A:1.
A ftp-server (wu-ftp 2.6.2) on computer A:2 partly behind the
firewall.
Network B contains:
No firewall. A computer B:1
Network C contains:
A firewall. A computer C:1 behind the firewall.
B:1 have no problem fetching files from A:2 using passive ftp. It
connects to ftp-address ftp.A.com, which leads to the firewall A:1.
The firewall correctly directs this to A:2.
When B:1 issues a PASV command it gets:
227 Entering Passive Mode (A:2's IP,some,port)
Note that it's A:2's IP, the ftp-server.
When C:1 does the same thing the connection resets.
There is no problem logging in, but when it tries to fetch a file
using passive mode the connection is reset.
What happens is that when C:1 issues a PASV command it gets:
227 Entering Passive Mode (A:1's IP,some,port)
Note that it's A:1 IP, the firewall!!
The firewall probably doesn't let any communication through the port
(some high port), and resets the connections.
Who is responsible for writing A:1 or A:2 in the "227 Entering Passive
Mode" message? Is it possible that C's firewall changes A:2 to A:1, in
the 227 message, because the initial connection to ftp.A.com is to
A:1??
I know that the explaination of the problem isn't very clear.
I'm a newbie when it comes to network and firewalls, so pardon if the
question is silly.
Thanks for have reading my post this far!
Thankfull for any kind of help or hints.
/Kid |
|
|
| Back to top |
|
|
Il Padrino
Guest
|
| Posted:
Fri Jan 14, 2005 9:59 am Post subject:
Re: Does firewall mix with ip in ftp pasv? |
|
|
* On 14 Jan 2005 00:04:36 -0800, bo_kid@yahoo.com wrote:
| Quote: | Thanks for the information Henry. Suspected it had something to do with
the firewalls, but didn't know what.
|
Passive mode was invented only so that FTP clients could be used behind
firewalls that do not allow inbound connections from ftp servers in the
outside world. Its a good thing.
| Quote: | If you have some time to kill, could you please explain why it's not
possible to use FTP when both the server and the client is behind a
NAT?
|
This is not true. However if you have a crappy firewall that doesn't
have a module to re-write the port command you may suffer. Take Linux
for example it has an FTP module which allows it to "look at" ftp
connections and modify the PORT command made by the client so that
active mode ftp works in a NAT environment. There are many protocols
that dont like NAT.. like Oracles SQL*NET... DCC protocol for IRC etc
etc. All of these require special modules to allow these connections to
work. In the windows world you have proxy servers which contain extra
plugins.
FTP in a natted environment where you are performing an active mode
connection only require that the firewall at the client end of the
connection allow a connection in from port 20 (ftp-data). You would
expect the firewall at the server end of the connection to allow this
(as well as the original port 21 connection inbound) since its a server
after all and there would be no point putting a server behind a firewall
that hampers it. Usually FTP issues are nearly ALWAYS to do with the
firewall at the client side of the connection. Some companies block even
the original control connection.
Any more questions let me know.
S. |
|
| Back to top |
|
|
Guest
|
| Posted:
Fri Jan 14, 2005 1:04 pm Post subject:
Re: Does firewall mix with ip in ftp pasv? |
|
|
Thanks for the information Henry. Suspected it had something to do with
the firewalls, but didn't know what.
If you have some time to kill, could you please explain why it's not
possible to use FTP when both the server and the client is behind a
NAT?
Is this only for passive FTP or does active FTP work with this
configuration? I'm just curious.
Thanks a bunch for your help!
/Kid
henry wrote:
| Quote: | If you are running an FTP server behind a firewall/NAT, AND the
client
who is trying to connect is also behind NAT, it won't work. Put your
FTP
server on a public IP or switch to sftp/scp(ssh protocol).
Kid wrote:
Hello all,
It seems that some networks can't use passive ftp with our
ftp-server.
My question is that:
When using passive ftp, does it matter if the CLIENT is behind a
firewall or not?
I have three different computer networks:
Network A contains:
A firewall on computer A:1.
A ftp-server (wu-ftp 2.6.2) on computer A:2 partly behind the
firewall.
Network B contains:
No firewall. A computer B:1
Network C contains:
A firewall. A computer C:1 behind the firewall.
B:1 have no problem fetching files from A:2 using passive ftp. It
connects to ftp-address ftp.A.com, which leads to the firewall A:1.
The firewall correctly directs this to A:2.
When B:1 issues a PASV command it gets:
227 Entering Passive Mode (A:2's IP,some,port)
Note that it's A:2's IP, the ftp-server.
When C:1 does the same thing the connection resets.
There is no problem logging in, but when it tries to fetch a file
using passive mode the connection is reset.
What happens is that when C:1 issues a PASV command it gets:
227 Entering Passive Mode (A:1's IP,some,port)
Note that it's A:1 IP, the firewall!!
The firewall probably doesn't let any communication through the
port
(some high port), and resets the connections.
Who is responsible for writing A:1 or A:2 in the "227 Entering
Passive
Mode" message? Is it possible that C's firewall changes A:2 to A:1,
in
the 227 message, because the initial connection to ftp.A.com is to
A:1??
I know that the explaination of the problem isn't very clear.
I'm a newbie when it comes to network and firewalls, so pardon if
the
question is silly.
Thanks for have reading my post this far!
Thankfull for any kind of help or hints.
/Kid |
|
|
| Back to top |
|
|
Il Padrino
Guest
|
| Posted:
Fri Jan 14, 2005 2:10 pm Post subject:
Re: Does firewall mix with ip in ftp pasv? |
|
|
* On 14 Jan 2005 06:01:30 -0800, bo_kid@yahoo.com wrote:
| Quote: |
Yes, that's why we use passive mode ftp. But I still don't know why it
doesn't work, or might not work, when both ends uses firewalls/NAT?
I'll turn on the debugging on the ftp-server and look some more at the
logs.
|
Ok. Define not working. You get a login prompt? What happens if you make
the FTP connection manually using "telnet host-name 21" can you connect?
If not this has nothing to do with the FTP client or server but its due
to your firewall blocking outbound TCP port 21.
| Quote: |
...for example it has an FTP module which allows it to "look at" ftp
connections and modify the PORT command made by the client so that
active mode ftp works in a NAT environment.
Can you use these "modules" (what are they?) with PASV command to
modify the command/address coming from the server as well?
|
One such module is ip_conntrack_ftp that needs to be loaded on a linux
system using the netfilter firewalling code within the kernel (user
space program iptables). This allows for active mode to work (PORT
command) in a NAT'd environment and also saves you having to write
incoming rules to match the active inbound TCP connection that will
result.
| Quote: | Any more questions let me know.
I have a lot of them! But I think I'll have to spend some more time
thinking over your reply and looking at the logs before I can ask you a
clever question.
As I said before, I'm still learning to crawl when it comes to
networking.
|
If you have access to a machine inbetween server and client you can try
using tcpdump to debug the connection. This will always tell you as you
get to see what exactly is going over the wire (or not) and work it out
from there.
tcpdump -i eth0 port \(ftp or ftp-data\) and host <host-name> -Xx -Nn
-s0
Should get you started. |
|
| Back to top |
|
|
Il Padrino
Guest
|
| Posted:
Fri Jan 14, 2005 3:29 pm Post subject:
Re: Does firewall mix with ip in ftp pasv? |
|
|
* On 14 Jan 2005 07:07:32 -0800, bo_kid@yahoo.com wrote:
| Quote: | Thanks for letting me ruin your friday!
Ok. Define not working. You get a login prompt?
The client logs in fine with username and password (even "welcome" text
shows).
Read my first post about network A, B and C.
The ftp control connection goes through the firewall. The wierd thing
is that the data connection goes directly to the ftp-server when the
client is NOT behind a firewall, and when the client is behind a
firewall the data connection goes to the servers firewall!
|
Sounds bloody strange to me. What FTP client are you using? Have you
tried changing the PASV command (if you can , and the server allows you)
to the RIGHT IP address. Or it is right but the connection still goes
to the server? If THIS is the case I would suspect that a NAT rule is
stray and is doing things it shouldnt! |
|
| Back to top |
|
|
Guest
|
| Posted:
Fri Jan 14, 2005 7:01 pm Post subject:
Re: Does firewall mix with ip in ftp pasv? |
|
|
Thanks for good information Il Padrino. =)
| Quote: | Passive mode was invented only so that FTP clients could be used
behind
firewalls that do not allow inbound connections from ftp servers in
the
outside world. Its a good thing.
|
Yes, that's why we use passive mode ftp. But I still don't know why it
doesn't work, or might not work, when both ends uses firewalls/NAT?
I'll turn on the debugging on the ftp-server and look some more at the
logs.
| Quote: | ...for example it has an FTP module which allows it to "look at" ftp
connections and modify the PORT command made by the client so that
active mode ftp works in a NAT environment.
|
Can you use these "modules" (what are they?) with PASV command to
modify the command/address coming from the server as well?
| Quote: | Any more questions let me know.
|
I have a lot of them! But I think I'll have to spend some more time
thinking over your reply and looking at the logs before I can ask you a
clever question.
As I said before, I'm still learning to crawl when it comes to
networking.
Thanks again!
/Kid |
|
| Back to top |
|
|
Guest
|
| Posted:
Fri Jan 14, 2005 8:07 pm Post subject:
Re: Does firewall mix with ip in ftp pasv? |
|
|
Thanks for letting me ruin your friday!
| Quote: | Ok. Define not working. You get a login prompt?
|
The client logs in fine with username and password (even "welcome" text
shows).
Read my first post about network A, B and C.
The ftp control connection goes through the firewall. The wierd thing
is that the data connection goes directly to the ftp-server when the
client is NOT behind a firewall, and when the client is behind a
firewall the data connection goes to the servers firewall!
That is when a non-firewalled client issues a PASV command it gets:
227 Entering Passive Mode (x1,x2,x3,x4,some,port), where x1,x2,x3,x4 is
the ftp-servers IP.
When a firewalled client issues the PASV command it gets:
227 Entering Passive Mode (y1,y2,y3,y4,some,port), where y1,y2,y3,y4 is
the firewall's IP, on ftp-server side.
Have a nice weekend!
/Kid
Il Padrino wrote:
| Quote: | * On 14 Jan 2005 06:01:30 -0800, bo_kid@yahoo.com wrote:
Yes, that's why we use passive mode ftp. But I still don't know why
it
doesn't work, or might not work, when both ends uses firewalls/NAT?
I'll turn on the debugging on the ftp-server and look some more at
the
logs.
...for example it has an FTP module which allows it to "look at"
ftp
connections and modify the PORT command made by the client so that
active mode ftp works in a NAT environment.
Can you use these "modules" (what are they?) with PASV command to
modify the command/address coming from the server as well?
One such module is ip_conntrack_ftp that needs to be loaded on a
linux
system using the netfilter firewalling code within the kernel (user
space program iptables). This allows for active mode to work (PORT
command) in a NAT'd environment and also saves you having to write
incoming rules to match the active inbound TCP connection that will
result.
Any more questions let me know.
I have a lot of them! But I think I'll have to spend some more time
thinking over your reply and looking at the logs before I can ask
you a
clever question.
As I said before, I'm still learning to crawl when it comes to
networking.
If you have access to a machine inbetween server and client you can
try
using tcpdump to debug the connection. This will always tell you as
you
get to see what exactly is going over the wire (or not) and work it
out
from there.
tcpdump -i eth0 port \(ftp or ftp-data\) and host <host-name> -Xx -Nn
-s0
Should get you started. |
|
|
| Back to top |
|
|
Casey
Guest
|
| Posted:
Sat Jan 15, 2005 5:20 am Post subject:
Re: Does firewall mix with ip in ftp pasv? |
|
|
snip..
| Quote: |
You might fine this useful. Active FTP vs Passive FTP, a definitive |
explanation.
http://slacksite.com/other/ftp.html |
|
| Back to top |
|
|
Il Padrino
Guest
|
| Posted:
Mon Jan 17, 2005 9:55 am Post subject:
Re: Does firewall mix with ip in ftp pasv? |
|
|
* On 17 Jan 2005 00:36:19 -0800, bo_kid@yahoo.com wrote:
| Quote: |
Do you mean the NAT on the server side or client side? It's not
impossible that the NAT on the server side is "missconfigured"!
|
On the server side. |
|
| Back to top |
|
|
Guest
|
| Posted:
Mon Jan 17, 2005 1:36 pm Post subject:
Re: Does firewall mix with ip in ftp pasv? |
|
|
Back from the weekend!
| Quote: | What FTP client are you using?
|
The usual ftp command in linux. Also Java ftpclient classes.
I've turned on debugging and found the following: (both client and
server are behind firewalls):
Lets say the firewall address=111.222.333.1, the ftp-server
address=111.222.333.2 and the client address=123.123.123.123.
Client connects to ftp at 111.222.333.1(=firewall) and logs on fine.
Client: ---> PASV
Server:
command: PASV^M
PASV
PASV port 45800 assigned to 123.123.123.123 [123.123.123.123]
<--- 227 Entering Passive Mode (111,222,333,2,178,232)
Client: 227 Entering Passive Mode (111,222,333,1,178,232)
And when the client tries to connect to (111,222,333,1,178,232) it
times out .
Server:
<--- 221 You could at least say goodbye.
lost connection to 123.123.123.123 [123.123.123.123]
Note:
FTP-server sends: 227 Entering Passive Mode (111,222,333,2,178,232)
Clients receives: 227 Entering Passive Mode (111,222,333,1,178,232)
So on the way someone (who's NAT?) changed 111,222,333,2 to
111,222,333,1, but who?
| Quote: | If THIS is the case I would suspect that a NAT rule is
stray and is doing things it shouldnt!
|
Do you mean the NAT on the server side or client side? It's not
impossible that the NAT on the server side is "missconfigured"!
Casey:
Thanks, but that's where I learnt about ftp before posting here! =)
/Kid |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in