On Wed, 2003-08-20 at 12:12, Victor McAllister wrote:My friend commented out
My friend is still troubleshooting why Dachstein works with an internal passive ftp client SENDING a file and Bering fails.
System is PPPoE
He ran tdpdump in passive ftp mode . Dachstein showns the mss at differnt stages of the ftp as 1460 and 1412 In Bering the tcpdump log shows that mss is 1452 and 1460. Bering has CLAMPMSS = Yes
The internal ftp passive mode client log shows the port that it will send the ftp file.
The tcpdump shows that in Dachstien that port is used and the ftp is successful.
In Bering the port used by the client shows in the tcpdump file AS ONE PORT LOWER THAN THE REQUESTED PORT.
In a tcpdump on the internal interface, is the port number in the PASV response correct or wrong?
Why would ip_conntrack_ftp assign a passive client one port lower than the agreed upon port for transfer.
******
if the ftp log shows that the tcp port for sending the file is supposed to be 13780
tcpdump on the Bering firewall shows the packet is sent on port 13779 and the ftp fails.
******
Is this a bug in ip_conntrack_ftp that only shows up when a client sends a file?
If it is, it's a strange bug that only shows up on your friend's computer. You can remove ip_conntrack_ftp and ip_nat_ftp and throw them in the ocean if you like; passive mode FTP from behind a firewall works fine without them provided that you have the default policy of "loc net ACCEPT".
Passive clients probably usually recieve files instead of sending them.
All publishing of Shorewall distributions to Sourceforge occur using passive mode FTP.
Anyone else seen this problem? My friend's weather station will not send ftp files through the Bering box. It will send files through the Dactsein box. All hardware, application program , remote ftp server and ISP are the same.
No one else in the Shorewall user community is seeing this problem except your friend; or if they are, they aren't reporting it.
-Tom
ip_conntrack_ftp
and
ip_nat_ftp
in modules
rebooted
and everything works perfectly.
Sometime when he has some time we will have to do some more troubleshooting using tcpdump. I only saw the external IP on his tcpdump file so I don't think he was recording interior traffic.
I only have ssh access to his machine - so it is hard to run some experiments remotely.
THANKS TOM. Weather station is sending a file every 15 minutes now..
-- Victor McAllister
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
