Re: gFTP problems?
On Saturday 05 July 2003 11:52 pm, Martin WHEELER wrote: > Solutions suggested so far have been to turn off, or make completely > transparent, any firewall between you and them (!!!); or to turn off > passive ftp mode. (makes no difference, incidentally) It sounds like they are now denying all incoming connections on non standard ports -> i.e. they will accept 21 for FTP and 80 for WWW, but not much else. I can understand why they've done this, since it closes a lot of possibilities for remote shells / backdoor exploits. In passive mode, their server must allow incoming connections on some arbritrary TCP ports, but in non-passive (active) mode, it is /your/ computer that must allow the incoming connections. The fact that some people using CuteFTP got it to work is pretty irrelevant - they're probably using ADSL modems directly connected to their Windows PC, and so have a direct non-firewalled connection capable of receiving TCP connections on strange ports. I'm guessing you're either actually firewalled, or are simply doing IP MASQ which will have much the same effect.. You might want to look into the FTP connection-tracking module, since I believe this will deal properly with active FTP by actually watching the FTP connection data pass through, and will do some magic when it sees the PORT command (not PASV !) being issued... Cheers, Gavin.
Re: gFTP problems?
On Saturday 05 July 2003 11:52 pm, Martin WHEELER wrote: > Solutions suggested so far have been to turn off, or make completely > transparent, any firewall between you and them (!!!); or to turn off > passive ftp mode. (makes no difference, incidentally) It sounds like they are now denying all incoming connections on non standard ports -> i.e. they will accept 21 for FTP and 80 for WWW, but not much else. I can understand why they've done this, since it closes a lot of possibilities for remote shells / backdoor exploits. In passive mode, their server must allow incoming connections on some arbritrary TCP ports, but in non-passive (active) mode, it is /your/ computer that must allow the incoming connections. The fact that some people using CuteFTP got it to work is pretty irrelevant - they're probably using ADSL modems directly connected to their Windows PC, and so have a direct non-firewalled connection capable of receiving TCP connections on strange ports. I'm guessing you're either actually firewalled, or are simply doing IP MASQ which will have much the same effect.. You might want to look into the FTP connection-tracking module, since I believe this will deal properly with active FTP by actually watching the FTP connection data pass through, and will do some magic when it sees the PORT command (not PASV !) being issued... Cheers, Gavin. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gFTP problems?
On July 5, 2003 09:07 pm, Martin Wheeler wrote: > This is the information I wanted -- thanks for confirming my suspicions. > (I'd actually checked my own firewall settings, and port 20 is open for > ftp; I tried opening up another port to see if the remote would find it, > but it didn't. So I was at a bit of a loss as to which of us had a > problem.) Are you certain that you're allowing port 20? In active-mode (i.e. not passive) the ftp server makes a connection to the client, the client does not establish the connection to port 20. > Guess I now have to persuade the ISP to tell me which port they have open > for ftp traffic -- presumably they've closed down port 20 to discourage the > black-hats. If it's working for other clients (Cute FTP?) then it should work for you. Are you using a Linux firewall? In a Linux 2.2 firewall you should load the ip_masq_ftp module. In a Linux 2.4 firewall you should use the ip_conntrack_ftp module. Have you run a tcpdump on you Internet interface to ensure that the packets from source port 20 are indeed not reaching you? -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux
Re: gFTP problems?
On July 5, 2003 09:07 pm, Martin Wheeler wrote: > This is the information I wanted -- thanks for confirming my suspicions. > (I'd actually checked my own firewall settings, and port 20 is open for > ftp; I tried opening up another port to see if the remote would find it, > but it didn't. So I was at a bit of a loss as to which of us had a > problem.) Are you certain that you're allowing port 20? In active-mode (i.e. not passive) the ftp server makes a connection to the client, the client does not establish the connection to port 20. > Guess I now have to persuade the ISP to tell me which port they have open > for ftp traffic -- presumably they've closed down port 20 to discourage the > black-hats. If it's working for other clients (Cute FTP?) then it should work for you. Are you using a Linux firewall? In a Linux 2.2 firewall you should load the ip_masq_ftp module. In a Linux 2.4 firewall you should use the ip_conntrack_ftp module. Have you run a tcpdump on you Internet interface to ensure that the packets from source port 20 are indeed not reaching you? -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gFTP problems?
On Sat, 5 Jul 2003, Blu wrote: > Looks like the port 20 (ftp-data) is blocked somewhere. > Take a look at your firewall settings in case it is you who is blocking > port 20, if not, it is your ISP. This is the information I wanted -- thanks for confirming my suspicions. (I'd actually checked my own firewall settings, and port 20 is open for ftp; I tried opening up another port to see if the remote would find it, but it didn't. So I was at a bit of a loss as to which of us had a problem.) Guess I now have to persuade the ISP to tell me which port they have open for ftp traffic -- presumably they've closed down port 20 to discourage the black-hats. Cheers, -- Martin Wheeler - StarTEXT / AVALONIX - Glastonbury - BA6 9PH - England [EMAIL PROTECTED] http://startext.demon.co.uk/ GPG pub key : 8D6B948B ECC6 D98E 4CC8 60E3 7E32 D594 BB27 3368 8D6B 948B - Share your knowledge. It's a way of achieving immortality. -
Re: gFTP problems?
On Sat, Jul 05, 2003 at 10:52:28PM +, Martin WHEELER wrote: > Solutions suggested so far have been to turn off, or make completely > transparent, any firewall between you and them (!!!); or to turn off > passive ftp mode. (makes no difference, incidentally) > > Symptoms under gFTP are: connection is made to the remote proFTPD 1.2.4 > server on port 21; password is requested; sent; and accepted; type is > set to l; current directory is given as "/"; system goes into passive > mode; gives message: "Receiving file names... ; then hangs until > connection times out after printing message "Cannot create a data > connection". > > Customers using Cuteftp report that turning off passive mode indeed > fixes the problem for them; any clues as to what is going on under > Linux? > (Sarge, with kernel 2.4.19 -- and I'm not using any local proxy.) Looks like the port 20 (ftp-data) is blocked somewhere. Ftp protocol uses two ports, 21 for commands and 20 to send data. In passive mode, when you make a request to the ftp server, it tries to open a conection to your machine on port 20 to send data. If the port 20 is blocked, the server times out trying to connect. With passive mode turned off, it is your ftp client which actively tries to establish a data connection, maybe through another port. Take a look at your firewall settings in case it is you who is blocking port 20, if not, it is your ISP. Blu.
gFTP problems?
I'm having to deal with a totally unhelpful ISP here in the UK (ProWebSpace -- personal opinion: avoid like the plague), who has just done something to their customer servers, but can't/won't tell their customers what. The upshot is that customers can no longer access their accounts to ftp web data up to the server, where such access was no problem previously. (I've been using gFTP 2.0.13 for the last six months without any hiccups at all). Solutions suggested so far have been to turn off, or make completely transparent, any firewall between you and them (!!!); or to turn off passive ftp mode. (makes no difference, incidentally) Symptoms under gFTP are: connection is made to the remote proFTPD 1.2.4 server on port 21; password is requested; sent; and accepted; type is set to l; current directory is given as "/"; system goes into passive mode; gives message: "Receiving file names... ; then hangs until connection times out after printing message "Cannot create a data connection". Customers using Cuteftp report that turning off passive mode indeed fixes the problem for them; any clues as to what is going on under Linux? (Sarge, with kernel 2.4.19 -- and I'm not using any local proxy.) Any help appreciated. -- Martin Wheeler - StarTEXT / AVALONIX - Glastonbury - BA6 9PH - England [EMAIL PROTECTED]http://www.startext.co.uk/mwheeler/ GPG pub key : 01269BEB 6CAD BFFB DB11 653E B1B7 C62B AC93 0ED8 0126 9BEB - Share your knowledge. It's a way of achieving immortality. -
Re: gFTP problems?
On Sat, 5 Jul 2003, Blu wrote: > Looks like the port 20 (ftp-data) is blocked somewhere. > Take a look at your firewall settings in case it is you who is blocking > port 20, if not, it is your ISP. This is the information I wanted -- thanks for confirming my suspicions. (I'd actually checked my own firewall settings, and port 20 is open for ftp; I tried opening up another port to see if the remote would find it, but it didn't. So I was at a bit of a loss as to which of us had a problem.) Guess I now have to persuade the ISP to tell me which port they have open for ftp traffic -- presumably they've closed down port 20 to discourage the black-hats. Cheers, -- Martin Wheeler - StarTEXT / AVALONIX - Glastonbury - BA6 9PH - England [EMAIL PROTECTED] http://startext.demon.co.uk/ GPG pub key : 8D6B948B ECC6 D98E 4CC8 60E3 7E32 D594 BB27 3368 8D6B 948B - Share your knowledge. It's a way of achieving immortality. - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: gFTP problems?
On Sat, Jul 05, 2003 at 10:52:28PM +, Martin WHEELER wrote: > Solutions suggested so far have been to turn off, or make completely > transparent, any firewall between you and them (!!!); or to turn off > passive ftp mode. (makes no difference, incidentally) > > Symptoms under gFTP are: connection is made to the remote proFTPD 1.2.4 > server on port 21; password is requested; sent; and accepted; type is > set to l; current directory is given as "/"; system goes into passive > mode; gives message: "Receiving file names... ; then hangs until > connection times out after printing message "Cannot create a data > connection". > > Customers using Cuteftp report that turning off passive mode indeed > fixes the problem for them; any clues as to what is going on under > Linux? > (Sarge, with kernel 2.4.19 -- and I'm not using any local proxy.) Looks like the port 20 (ftp-data) is blocked somewhere. Ftp protocol uses two ports, 21 for commands and 20 to send data. In passive mode, when you make a request to the ftp server, it tries to open a conection to your machine on port 20 to send data. If the port 20 is blocked, the server times out trying to connect. With passive mode turned off, it is your ftp client which actively tries to establish a data connection, maybe through another port. Take a look at your firewall settings in case it is you who is blocking port 20, if not, it is your ISP. Blu. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
gFTP problems?
I'm having to deal with a totally unhelpful ISP here in the UK (ProWebSpace -- personal opinion: avoid like the plague), who has just done something to their customer servers, but can't/won't tell their customers what. The upshot is that customers can no longer access their accounts to ftp web data up to the server, where such access was no problem previously. (I've been using gFTP 2.0.13 for the last six months without any hiccups at all). Solutions suggested so far have been to turn off, or make completely transparent, any firewall between you and them (!!!); or to turn off passive ftp mode. (makes no difference, incidentally) Symptoms under gFTP are: connection is made to the remote proFTPD 1.2.4 server on port 21; password is requested; sent; and accepted; type is set to l; current directory is given as "/"; system goes into passive mode; gives message: "Receiving file names... ; then hangs until connection times out after printing message "Cannot create a data connection". Customers using Cuteftp report that turning off passive mode indeed fixes the problem for them; any clues as to what is going on under Linux? (Sarge, with kernel 2.4.19 -- and I'm not using any local proxy.) Any help appreciated. -- Martin Wheeler - StarTEXT / AVALONIX - Glastonbury - BA6 9PH - England [EMAIL PROTECTED]http://www.startext.co.uk/mwheeler/ GPG pub key : 01269BEB 6CAD BFFB DB11 653E B1B7 C62B AC93 0ED8 0126 9BEB - Share your knowledge. It's a way of achieving immortality. - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
