reality check: passive FTP

To: debian-isp@lists.debian.org
Subject: reality check: passive FTP
From: martin f krafft <madduck@debian.org>
Date: Tue, 29 Aug 2006 20:25:39 +0200
Message-id: <[🔎] 20060829182539.GA31229@piper.madduck.net>

A client of mine has its web site hosted with an ISP [0], accessible
by FTP.

0. ISP is a well-known acronym for Incompetent Stupid Poopyheads.

I cannot establish a data connection, even though I can log in fine.
The ISP told me I have to use passive mode, and so I did... but
I cannot get a directory listing in either passive or active mode,
from any of five machines I tried, in .de, .ch, .us, .jp, and .au,
using any of ncftp, lftp, w3m, lynx, or even <gasp> Firefox.

This is what happens:

  0.000000  local -> remote TCP 46667 > 21 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=4666862 TSER=0 WS=7
  0.025744 remote -> local  TCP 21 > 46667 [SYN, ACK] Seq=0 Ack=1 Win=17424 Len=0 MSS=1452 WS=0 TSV=0 TSER=0
  0.025974  local -> remote TCP 46667 > 21 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=4666868 TSER=0
  0.047752 remote -> local  FTP Response: 220 web2 Microsoft FTP Service (Version 5.0).
  0.047918  local -> remote TCP 46667 > 21 [ACK] Seq=1 Ack=48 Win=5888 Len=0 TSV=4666874 TSER=5920474
  0.048021  local -> remote FTP Request: USER XXXXXXXX
  0.087749 remote -> local  FTP Response: 331 Password required for XXXXXXXX.
  0.087994  local -> remote FTP Request: PASS YYYYYYYY
  0.116722 remote -> local  FTP Response: 230-FTP LCM WEB2
  0.156453  local -> remote TCP 46667 > 21 [ACK] Seq=29 Ack=102 Win=5888 Len=0 TSV=4666901 TSER=5920476
  0.179720 remote -> local  FTP Response: 230 User XXXXXXX logged in.
  0.179899  local -> remote TCP 46667 > 21 [ACK] Seq=29 Ack=131 Win=5888 Len=0 TSV=4666907 TSER=5920476
  0.180013  local -> remote FTP Request: PWD
  0.222725 remote -> local  FTP Response: 257 "/XXXXXXX" is current directory.
  0.222999  local -> remote FTP Request: FEAT
  0.245703 remote -> local  FTP Response: 500 'FEAT': command not understood
  0.245906  local -> remote FTP Request: HELP SITE
  0.278718 remote -> local  FTP Response: 214 Syntax: SITE (site-specific commands)
  0.279064  local -> remote FTP Request: CLNT NcFTP 3.1.9 linux-x86_64
  0.301696 remote -> local  FTP Response: 500 'CLNT NcFTP 3.1.9 linux-x86_64': command not understood
  0.340466  local -> remote TCP 46667 > 21 [ACK] Seq=82 Ack=309 Win=5888 Len=0 TSV=4666947 TSER=5920477
 23.286210  local -> remote FTP Request: PASV
 23.309130 remote -> local  FTP Response: 227 Entering Passive Mode (212,117,207,139,5,175).
 23.309355  local -> remote TCP 46667 > 21 [ACK] Seq=88 Ack=361 Win=5888 Len=0 TSV=4672689 TSER=5920707
 23.311491  local -> remote TCP 38486 > 1455 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=4672689 TSER=0 WS=7
 26.312900  local -> remote TCP 38486 > 1455 [SYN] Seq=0 Ack=0 Win=747520 Len=0 MSS=1460 TSV=4673439 TSER=0 WS=7
 32.313003  local -> remote TCP 38486 > 1455 [SYN] Seq=0 Ack=0 Win=747520 Len=0 MSS=1460 TSV=4674939 TSER=0 WS=7
 43.313278  local -> remote FTP Request: LIST
 43.531005 remote -> local  TCP 21 > 46667 [ACK] Seq=361 Ack=94 Win=17331 Len=0 TSV=5920910 TSER=4677689
 44.313204  local -> remote TCP 38486 > 1455 [SYN] Seq=0 Ack=0 Win=747520 Len=0 MSS=1460 TSV=4677939 TSER=0 WS=7
 55.444176 remote -> local  FTP Response: 425 Can't open data connection.
 55.444390  local -> remote TCP 46667 > 21 [ACK] Seq=94 Ack=394 Win=5888 Len=0 TSV=4680722 TSER=5921028

I can access sites like ftp.gnu.org just fine, and given this fact
and the above output, I conclude that it's the remote firewall which
doesn't let the RELATED SYN for port 1455 through.

However, the ISP proved to me that it works from the outside (make
sure you're sitting before reading on): he put the receiver with me
on the other end on the table and called up another customer on
another line, asked them to log in to the machine (I could hear all
they said), passing out the username/password to the other customer
(I opposed, but wasn't heard), and heard how the customer read out
the directory listing, which the ISP confirmed, so apparently it
works for them.

Before I go raise hell and high waters, could you please confirm
that I am not smoking anything if I conclude that their Firewall
must have an exception for the other client to allow FTP traffic?
Mine certainly do not have an exception to deny FTP traffic only
for this host...

Cheers,

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, author, administrator, and user
`. `'`     http://people.debian.org/~madduck http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems
 
"if english was good enough for jesus christ,
 it's good enough for us."
                               -- miriam ferguson, governor of texas

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to:

Follow-Ups:
- Re: reality check: passive FTP
  - From: Andrew Miehs <andrew@2sheds.de>
- Re: reality check: passive FTP
  - From: Andrew Miehs <andrew@2sheds.de>
- Re: reality check: passive FTP
  - From: Greg Ryman <gregr@candylogic.com>
- Re: reality check: passive FTP
  - From: Greg Ryman <gregr@candylogic.com>
- Re: reality check: passive FTP
  - From: Matus UHLAR - fantomas <uhlar@fantomas.sk>

Prev by Date: Bankitalia: Bce, possibile semplificare su assetto proprietario -2- 14.40
Next by Date: Re: reality check: passive FTP
Previous by thread: Bankitalia: Bce, possibile semplificare su assetto proprietario -2- 14.40
Next by thread: Re: reality check: passive FTP
Index(es):
- Date
- Thread