This point may have been lost in my earlier append because it was a little long-winded, but in addition to ensuring connections to passive ports are allowed inbound through the firewall, you also have to ensure the IP address the server sends in response to the client's PASV request is a valid external address. This is not something the server can do automatically for you. It doesn't know the external address of the firewall.
As I mentioned previously, most corporate firewalls are FTP-aware, and they will automatically convert the local address in the server's PASV response (e.g. 10.10.0.1) to the external address of the firewall (e.g. 172.25.32.55). One exception is if you are using a control port other than 21 you generally have to explicitly configure the firewall to be FTP-aware on that port. If the client is connecting over SSL, or if you are using a firewall that isn't FTP-aware, you need to explicitly configure the FTP server with the correct external address to send in response to PASV requests, e.g.: config.listeners.default.data-connection.passive.external-address="x.x.x.x" If this doesn't work, I could try and connect to your server to debug the conversation if you send me the necessary information offline. One thing that concerns me is that there are no further commands after PASV in your debug log. Even if the server is sending back an unusable address, your client should send the LIST or NLST request after the PASV request. Then it should fail when it tries to open a connection to retrieve the listing. But perhaps your client isn't logging anything at all if the LIST or NLST attempt fails. Clint On 5/31/07 4:48 PM, "Ran" <[EMAIL PROTECTED]> wrote: > Thanks Niklas, > > Yes I have turned off windows firewall completely to test pasv data > connections. what I have observed is: > active has to be enabled to work with pasv connection, and port of pasv has > to be set to 0 (auto). > > May I ask for your conf file that works with inbound connection from the > internet ? since there are some options for the conf that aren't documented > (i.e. leave it blank) and I can't seem to get a robust settings for internet > users after many tries. > > I still stick to this FTP server is because I love the FTPlets, I myself is > a innovative developer who loves open source solutions and extensions, I > wonder how difficult to become an Apache commiter. > > Best Regards, > Ran > > On 5/31/07, Niklas Gustavsson <[EMAIL PROTECTED]> wrote: >> >> The log below indicates that you get the error when doing a listing >> rather than switching directory. A listing would need to open the data >> connection socket, something which might get stopped by a firewall. Have >> you been able to shut down your firewall to test this without it? >> >> /niklas >> >> Ran wrote: >>> When I try to switch directory I get a timeout error, any idea ? >>> ========================================== >>> Response: 257 "/d" is current directory. >>> Command: TYPE A >>> Response: 200 Command TYPE okay. >>> Command: PASV >>> Error: Disconnected from server >>> Error: Could not retrieve directory listing >>> Error: Timeout detected! >>> ========================================== >>> >>> On 5/30/07, Ran <[EMAIL PROTECTED]> wrote: >>>> >>>> Thanks Clint and Niklas, >>>> For port range configuration on pasv ports, the ' 123-125' seem to >>>> cause a >>>> IllegalNumberFormat Exception, '123,124,125' works for me. >>>> Why active mode data directory listing takes a sec to respond where as >>>> pasv mode almost instant ? >>>> >>>> ran >>>> >>>> On 5/30/07, Clinton Foster >>>> <[EMAIL PROTECTED]> wrote: >>>>> >>>>> Ran, >>>>> >>>>> I think you mentioned the firewall had been disabled, but just in >>>>> case... >>>>> >>>>> To handle clients that are connecting in passive mode (which is >>>>> preferred), >>>>> it is not sufficient to simply open port 21 on the firewall. If the >>>>> server >>>>> is behind a firewall and the client is connecting from outside the >>>>> firewall, >>>>> the firewall must be configured to dynamically open ports for inbound >>>>> passive connections from any IP address that already has a control >>>>> connection to the server. Most modern corporate firewalls can be >>>>> configured >>>>> to do this. Note that this won¹t work for SSL connections because the >>>>> firewall can¹t monitor the control connection to figure out what >>>> passive >>>>> >>>>> port to dynamically open. Also, it won¹t work with simple firewalls >>>> like >>>>> the >>>>> Windows firewall. In either of these cases you have to explicitly >>>>> configure >>>>> the firewall to allow a range of ports for passive connections, and >>>>> configure the allowed passive ports on the FTP server with the same >>>>> range. >>>>> (In the case of the Windows firewall this is tedious because it does >>>> not >>>>> allow configuring a range.) >>>>> >>>>> http://incubator.apache.org/ftpserver/configure-passive-ports.html >>>>> >>>>> The other potential issue, as Niklas pointed out, is NAT. When the >>>>> client >>>>> sends the PASV command to the server, the server¹s response includes >>>>> both >>>>> the IP address and the port to which the client must connect to >> perform >>>>> the >>>>> data transfer. If the firewall is FTP-aware it will automatically >>>>> rewrite >>>>> the IP address with the external address of the firewall (instead of >>>> the >>>>> >>>>> local address of the server). Here again, this won¹t work in the >>>> case of >>>>> SSL, and I¹m pretty sure it won¹t work with the Windows firewall. To >>>>> handle >>>>> these cases the server must be explicitly configured with the >> external >>>>> address of the firewall. I think the documentation has not yet been >>>>> updated >>>>> to reflect this, but I believe the configuration parameter is as >>>>> follows: >>>>> (Niklas, correct me if I¹m wrong...) >>>>> >>>>> config.listeners.default.data-connection.passive.external-address >>>>> >>>>> Don¹t confuse this parameter with >>>>> config.listeners.default.data-connection.passive.address, which is >> the >>>>> local >>>>> network interface that server sockets for accepting passive >> connections >>>>> should bind to. (Normally you can leave the default for this one.) >>>>> >>>>> Thanks to firewalls, hosting an FTP server is a little tricky from a >>>>> configuration standpoint. Clients don¹t have to worry so much since >>>>> passive >>>>> connections are the norm these days, but this puts more onus on the >>>>> server >>>>> administrator. One thing that seems clear is that you should not use >>>> the >>>>> Windows firewall if you are hosting an FTP server for non-trivial >>>>> purposes. >>>>> >>>>> We should probably add a section to the documentation about this >>>> general >>>>> >>>>> subject. >>>>> >>>>> Clint Foster >>>>> >>>>> >>>>> On 5/30/07 11:59 AM, "Niklas Gustavsson" >>>> <[EMAIL PROTECTED]> wrote: >>>>> >>>>>> From the log it looks like you have a problem with opening the >> data >>>>>> connection socket. It's likely due to a firewall or NAT issue. >> Since >>>>>> your in active mode, the server needs to be able to open a socket >> to >>>>> the >>>>>> client (and pass any firewalls, resolve the IP). You could try to >> run >>>>> in >>>>>> passive mode instead. >>>>>> >>>>>> /niklas >>>>>> >>>>>> Ran wrote: >>>>>>> Now I the server can't seem to retrieve directory listing :-( >>>>>>> i have my account directory set to E:\www\ftp\admin in database. >>>>> Could >>>>>>> it be >>>>>>> a slash problem ? >>>>>>> >>>>>>> thanks again, >>>>>>> ran >>>>>>> ================================= >>>>>>> Response: 230 User logged in, proceed. >>>>>>> Command: FEAT >>>>>>> Response: 211-Extensions supported >>>>>>> Response: SIZE >>>>>>> Response: MDTM >>>>>>> Response: REST STREAM >>>>>>> Response: LANG en;zh-tw;ja;is >>>>>>> Response: MLST Size;Modify;Type;Perm >>>>>>> Response: AUTH SSL >>>>>>> Response: AUTH TLS >>>>>>> Response: MODE Z >>>>>>> Response: UTF8 >>>>>>> Response: TVFS >>>>>>> Response: 211 End >>>>>>> Command: SYST >>>>>>> Response: 215 UNIX Type: Apache FTP Server >>>>>>> Status: Connected >>>>>>> Status: Retrieving directory listing... >>>>>>> Command: PWD >>>>>>> Response: 257 "/" is current directory. >>>>>>> Command: TYPE A >>>>>>> Response: 200 Command TYPE okay. >>>>>>> Command: PASV >>>>>>> Error: Disconnected from server >>>>>>> Error: Could not retrieve directory listing >>>>>>> Error: Timeout detected! >>>>>>> ======================================== >>>>>>> >>>>>>> On 5/30/07, Ran <[EMAIL PROTECTED]> >>>> wrote: >>>>>>>> >>>>>>>> Removing localhost worked for me :-) thanks Dave. >>>>>>>> however I tried my real ip address instead of localhost in >> address >>>>>>>> element, weird it didn't turn out any good. >>>>>>>> >>>>>>>> thanks, >>>>>>>> ran >>>>>>>> >>>>>>>> On 5/30/07, Dave Roberts >>>>>>>> <[EMAIL PROTECTED]> >>>> wrote: >>>>>>>>> >>>>>>>>> Ran wrote: >>>>>>>>>> I tried turn off windows firewall, it didn't work. >>>>>>>>>> I created a couple account, I could only login with them when >>>>>>>>> connecting to >>>>>>>>>> localhost. >>>>>>>>> >>>>>>>>> Your config is set to create the listener on the localhost only. >>>>>>>>> This means the loopback interface (which has an IP address of >>>>>>>>> 127.0.0.1). Therefore the server can only accept connections >> that >>>>>>>>> come in on that interface - which results in what you are >> seeing: >>>>>>>>> connections work when you use "localhost", but not when you use >>>>> your >>>>>>>>> real hostname or real IP address. >>>>>>>>> >>>>>>>>> In your config, remove the localhost setting from the <address> >>>>>>>>> parameter, and this will tell the server to open up a listener >> on >>>>>>>>> all interfaces for your system. You'll then be able to access >> it >>>>>>>>> using your real hostname, and from other machines. >>>>>>>>> >>>>>>>>> Hope this makes sense. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>> >>> >> >> >
