[Shorewall-newbies] FTP problem

Tom Eastep teastep at shorewall.net
Sun Dec 28 09:25:35 PST 2003

On Sunday 28 December 2003 09:04 am, gregory wrote:

> Yeah, that's what I was thinking. After I've read the email. So, it's a
> client side problem? The client is indeed behind a router.

To use active mode, client-side NATing routers must modify the outgoing PORT 
command; if the router doesn't know that port 7121 is FTP then it won't 
perform that modification.

> >>No, I've been able to test it and here's the debug result:
> >>ftp> pwd 257 "/"
> >>ftp> debug
> >>Debugging on (debug=1).
> >>ftp> ls
> >>ftp: setsockopt (ignored): Permission denied ---> PASV 227 Entering
> >>Passive Mode (213,224,97,4,204,127) ---> LIST 150 Here comes the
> >>directory listing. 226 Directory send OK.
> >>ftp>
> >
> >That all looks ok -- but in this case, you are using passive mode which
> > would eliminate any NAT problems on the client side.
> Are you telling the client shouldn't have any problems now because it
> was using PASV mode?

That's correct.

> The client is able to establish a connection and can even log in, yet
> can't get a directory listing.

The information at the beginning of http://www.shorewall.net/FTP.html clearly 
(I hope) explains that logging into an FTP server and transferring data 
to/from that server (including directory listings) use different connections.

> Using the ftp CLI command the client was able to write something to the
> ftp server as well, but can't get a directory listing.
> Weird.

Do you see any Shorewall messages when you try the directory listing?

I assume that the only 'net' rule you have for your FTP server is the 

	ACCEPT	net	fw	tcp	7121

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-newbies mailing list