[Shorewall-newbies] FTP problem

gregory aeon at pandora.be
Sun Dec 28 20:20:32 PST 2003


Tom Eastep wrote:

>On Sunday 28 December 2003 09:04 am, gregory wrote:
>
>  
>
>>Yeah, that's what I was thinking. After I've read the email. So, it's a
>>client side problem? The client is indeed behind a router.
>>    
>>
>
>To use active mode, client-side NATing routers must modify the outgoing PORT 
>command; if the router doesn't know that port 7121 is FTP then it won't 
>perform that modification.
>
>  
>
>>>>No, I've been able to test it and here's the debug result:
>>>>ftp> pwd 257 "/"
>>>>ftp> debug
>>>>Debugging on (debug=1).
>>>>ftp> ls
>>>>ftp: setsockopt (ignored): Permission denied ---> PASV 227 Entering
>>>>Passive Mode (213,224,97,4,204,127) ---> LIST 150 Here comes the
>>>>directory listing. 226 Directory send OK.
>>>>ftp>
>>>>        
>>>>
>>>That all looks ok -- but in this case, you are using passive mode which
>>>would eliminate any NAT problems on the client side.
>>>      
>>>
>>Are you telling the client shouldn't have any problems now because it
>>was using PASV mode?
>>    
>>
>
>That's correct.
>
>  
>
But passive mode doesn't work.

>>The client is able to establish a connection and can even log in, yet
>>can't get a directory listing.
>>    
>>
>
>The information at the beginning of http://www.shorewall.net/FTP.html clearly 
>(I hope) explains that logging into an FTP server and transferring data 
>to/from that server (including directory listings) use different connections.
>
>  
>
>>Using the ftp CLI command the client was able to write something to the
>>ftp server as well, but can't get a directory listing.
>>Weird.
>>    
>>
>
>Do you see any Shorewall messages when you try the directory listing?
>
>  
>
No.

>I assume that the only 'net' rule you have for your FTP server is the 
>following:
>
>	ACCEPT	net	fw	tcp	7121
>  
>
This is the only rule I have, yeah.



More information about the Shorewall-newbies mailing list