[Shorewall-newbies] FTP problem
teastep at shorewall.net
Sun Dec 28 09:25:35 PST 2003
On Sunday 28 December 2003 09:04 am, gregory wrote:
> Yeah, that's what I was thinking. After I've read the email. So, it's a
> client side problem? The client is indeed behind a router.
To use active mode, client-side NATing routers must modify the outgoing PORT
command; if the router doesn't know that port 7121 is FTP then it won't
perform that modification.
> >>No, I've been able to test it and here's the debug result:
> >>ftp> pwd 257 "/"
> >>ftp> debug
> >>Debugging on (debug=1).
> >>ftp> ls
> >>ftp: setsockopt (ignored): Permission denied ---> PASV 227 Entering
> >>Passive Mode (213,224,97,4,204,127) ---> LIST 150 Here comes the
> >>directory listing. 226 Directory send OK.
> >That all looks ok -- but in this case, you are using passive mode which
> > would eliminate any NAT problems on the client side.
> Are you telling the client shouldn't have any problems now because it
> was using PASV mode?
> The client is able to establish a connection and can even log in, yet
> can't get a directory listing.
The information at the beginning of http://www.shorewall.net/FTP.html clearly
(I hope) explains that logging into an FTP server and transferring data
to/from that server (including directory listings) use different connections.
> Using the ftp CLI command the client was able to write something to the
> ftp server as well, but can't get a directory listing.
Do you see any Shorewall messages when you try the directory listing?
I assume that the only 'net' rule you have for your FTP server is the
ACCEPT net fw tcp 7121
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-newbies