Re: reality check: passive FTP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
And one more thing, it's not the firewall. You are getting a connection
so there is no restrictions on traffic. It's going to be a config issue
on one end, probably theirs.
martin f krafft wrote:
> A client of mine has its web site hosted with an ISP [0], accessible
> by FTP.
>
> 0. ISP is a well-known acronym for Incompetent Stupid Poopyheads.
>
> I cannot establish a data connection, even though I can log in fine.
> The ISP told me I have to use passive mode, and so I did... but
> I cannot get a directory listing in either passive or active mode,
> from any of five machines I tried, in .de, .ch, .us, .jp, and .au,
> using any of ncftp, lftp, w3m, lynx, or even <gasp> Firefox.
>
> This is what happens:
>
> 0.000000 local -> remote TCP 46667 > 21 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=4666862 TSER=0 WS=7
> 0.025744 remote -> local TCP 21 > 46667 [SYN, ACK] Seq=0 Ack=1 Win=17424 Len=0 MSS=1452 WS=0 TSV=0 TSER=0
> 0.025974 local -> remote TCP 46667 > 21 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=4666868 TSER=0
> 0.047752 remote -> local FTP Response: 220 web2 Microsoft FTP Service (Version 5.0).
> 0.047918 local -> remote TCP 46667 > 21 [ACK] Seq=1 Ack=48 Win=5888 Len=0 TSV=4666874 TSER=5920474
> 0.048021 local -> remote FTP Request: USER XXXXXXXX
> 0.087749 remote -> local FTP Response: 331 Password required for XXXXXXXX.
> 0.087994 local -> remote FTP Request: PASS YYYYYYYY
> 0.116722 remote -> local FTP Response: 230-FTP LCM WEB2
> 0.156453 local -> remote TCP 46667 > 21 [ACK] Seq=29 Ack=102 Win=5888 Len=0 TSV=4666901 TSER=5920476
> 0.179720 remote -> local FTP Response: 230 User XXXXXXX logged in.
> 0.179899 local -> remote TCP 46667 > 21 [ACK] Seq=29 Ack=131 Win=5888 Len=0 TSV=4666907 TSER=5920476
> 0.180013 local -> remote FTP Request: PWD
> 0.222725 remote -> local FTP Response: 257 "/XXXXXXX" is current directory.
> 0.222999 local -> remote FTP Request: FEAT
> 0.245703 remote -> local FTP Response: 500 'FEAT': command not understood
> 0.245906 local -> remote FTP Request: HELP SITE
> 0.278718 remote -> local FTP Response: 214 Syntax: SITE (site-specific commands)
> 0.279064 local -> remote FTP Request: CLNT NcFTP 3.1.9 linux-x86_64
> 0.301696 remote -> local FTP Response: 500 'CLNT NcFTP 3.1.9 linux-x86_64': command not understood
> 0.340466 local -> remote TCP 46667 > 21 [ACK] Seq=82 Ack=309 Win=5888 Len=0 TSV=4666947 TSER=5920477
> 23.286210 local -> remote FTP Request: PASV
> 23.309130 remote -> local FTP Response: 227 Entering Passive Mode (212,117,207,139,5,175).
> 23.309355 local -> remote TCP 46667 > 21 [ACK] Seq=88 Ack=361 Win=5888 Len=0 TSV=4672689 TSER=5920707
> 23.311491 local -> remote TCP 38486 > 1455 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=4672689 TSER=0 WS=7
> 26.312900 local -> remote TCP 38486 > 1455 [SYN] Seq=0 Ack=0 Win=747520 Len=0 MSS=1460 TSV=4673439 TSER=0 WS=7
> 32.313003 local -> remote TCP 38486 > 1455 [SYN] Seq=0 Ack=0 Win=747520 Len=0 MSS=1460 TSV=4674939 TSER=0 WS=7
> 43.313278 local -> remote FTP Request: LIST
> 43.531005 remote -> local TCP 21 > 46667 [ACK] Seq=361 Ack=94 Win=17331 Len=0 TSV=5920910 TSER=4677689
> 44.313204 local -> remote TCP 38486 > 1455 [SYN] Seq=0 Ack=0 Win=747520 Len=0 MSS=1460 TSV=4677939 TSER=0 WS=7
> 55.444176 remote -> local FTP Response: 425 Can't open data connection.
> 55.444390 local -> remote TCP 46667 > 21 [ACK] Seq=94 Ack=394 Win=5888 Len=0 TSV=4680722 TSER=5921028
>
> I can access sites like ftp.gnu.org just fine, and given this fact
> and the above output, I conclude that it's the remote firewall which
> doesn't let the RELATED SYN for port 1455 through.
>
> However, the ISP proved to me that it works from the outside (make
> sure you're sitting before reading on): he put the receiver with me
> on the other end on the table and called up another customer on
> another line, asked them to log in to the machine (I could hear all
> they said), passing out the username/password to the other customer
> (I opposed, but wasn't heard), and heard how the customer read out
> the directory listing, which the ISP confirmed, so apparently it
> works for them.
>
> Before I go raise hell and high waters, could you please confirm
> that I am not smoking anything if I conclude that their Firewall
> must have an exception for the other client to allow FTP traffic?
> Mine certainly do not have an exception to deny FTP traffic only
> for this host...
>
> Cheers,
>
- --
Greg Ryman
Network Engineering Supervisor
Candylogic, LLC.
Email: gregr@candylogic.com
Office: 949-916-4444 x.203
Cell: 714-585-7312
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
iD8DBQFE9IsH3nq9k6G+PM0RAhgXAKCK/O8Y8UDc5kwf2CHXxVfxpFDYjgCgpWnn
juxA3aceyxP3lb/aVux+21I=
=RZvA
-----END PGP SIGNATURE-----
Reply to: