Re: reality check: passive FTP

To: debian-isp@lists.debian.org
Subject: Re: reality check: passive FTP
From: Greg Ryman <gregr@candylogic.com>
Date: Tue, 29 Aug 2006 11:44:23 -0700
Message-id: <[🔎] 44F48B07.3060405@candylogic.com>
In-reply-to: <[🔎] 20060829182539.GA31229@piper.madduck.net>
References: <[🔎] 20060829182539.GA31229@piper.madduck.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

And one more thing, it's not the firewall. You are getting a connection
so there is no restrictions on traffic. It's going to be a config issue
on one end, probably theirs.

martin f krafft wrote:
> A client of mine has its web site hosted with an ISP [0], accessible
> by FTP.
> 
> 0. ISP is a well-known acronym for Incompetent Stupid Poopyheads.
> 
> I cannot establish a data connection, even though I can log in fine.
> The ISP told me I have to use passive mode, and so I did... but
> I cannot get a directory listing in either passive or active mode,
> from any of five machines I tried, in .de, .ch, .us, .jp, and .au,
> using any of ncftp, lftp, w3m, lynx, or even <gasp> Firefox.
> 
> This is what happens:
> 
>   0.000000  local -> remote TCP 46667 > 21 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=4666862 TSER=0 WS=7
>   0.025744 remote -> local  TCP 21 > 46667 [SYN, ACK] Seq=0 Ack=1 Win=17424 Len=0 MSS=1452 WS=0 TSV=0 TSER=0
>   0.025974  local -> remote TCP 46667 > 21 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=4666868 TSER=0
>   0.047752 remote -> local  FTP Response: 220 web2 Microsoft FTP Service (Version 5.0).
>   0.047918  local -> remote TCP 46667 > 21 [ACK] Seq=1 Ack=48 Win=5888 Len=0 TSV=4666874 TSER=5920474
>   0.048021  local -> remote FTP Request: USER XXXXXXXX
>   0.087749 remote -> local  FTP Response: 331 Password required for XXXXXXXX.
>   0.087994  local -> remote FTP Request: PASS YYYYYYYY
>   0.116722 remote -> local  FTP Response: 230-FTP LCM WEB2
>   0.156453  local -> remote TCP 46667 > 21 [ACK] Seq=29 Ack=102 Win=5888 Len=0 TSV=4666901 TSER=5920476
>   0.179720 remote -> local  FTP Response: 230 User XXXXXXX logged in.
>   0.179899  local -> remote TCP 46667 > 21 [ACK] Seq=29 Ack=131 Win=5888 Len=0 TSV=4666907 TSER=5920476
>   0.180013  local -> remote FTP Request: PWD
>   0.222725 remote -> local  FTP Response: 257 "/XXXXXXX" is current directory.
>   0.222999  local -> remote FTP Request: FEAT
>   0.245703 remote -> local  FTP Response: 500 'FEAT': command not understood
>   0.245906  local -> remote FTP Request: HELP SITE
>   0.278718 remote -> local  FTP Response: 214 Syntax: SITE (site-specific commands)
>   0.279064  local -> remote FTP Request: CLNT NcFTP 3.1.9 linux-x86_64
>   0.301696 remote -> local  FTP Response: 500 'CLNT NcFTP 3.1.9 linux-x86_64': command not understood
>   0.340466  local -> remote TCP 46667 > 21 [ACK] Seq=82 Ack=309 Win=5888 Len=0 TSV=4666947 TSER=5920477
>  23.286210  local -> remote FTP Request: PASV
>  23.309130 remote -> local  FTP Response: 227 Entering Passive Mode (212,117,207,139,5,175).
>  23.309355  local -> remote TCP 46667 > 21 [ACK] Seq=88 Ack=361 Win=5888 Len=0 TSV=4672689 TSER=5920707
>  23.311491  local -> remote TCP 38486 > 1455 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=4672689 TSER=0 WS=7
>  26.312900  local -> remote TCP 38486 > 1455 [SYN] Seq=0 Ack=0 Win=747520 Len=0 MSS=1460 TSV=4673439 TSER=0 WS=7
>  32.313003  local -> remote TCP 38486 > 1455 [SYN] Seq=0 Ack=0 Win=747520 Len=0 MSS=1460 TSV=4674939 TSER=0 WS=7
>  43.313278  local -> remote FTP Request: LIST
>  43.531005 remote -> local  TCP 21 > 46667 [ACK] Seq=361 Ack=94 Win=17331 Len=0 TSV=5920910 TSER=4677689
>  44.313204  local -> remote TCP 38486 > 1455 [SYN] Seq=0 Ack=0 Win=747520 Len=0 MSS=1460 TSV=4677939 TSER=0 WS=7
>  55.444176 remote -> local  FTP Response: 425 Can't open data connection.
>  55.444390  local -> remote TCP 46667 > 21 [ACK] Seq=94 Ack=394 Win=5888 Len=0 TSV=4680722 TSER=5921028
> 
> I can access sites like ftp.gnu.org just fine, and given this fact
> and the above output, I conclude that it's the remote firewall which
> doesn't let the RELATED SYN for port 1455 through.
> 
> However, the ISP proved to me that it works from the outside (make
> sure you're sitting before reading on): he put the receiver with me
> on the other end on the table and called up another customer on
> another line, asked them to log in to the machine (I could hear all
> they said), passing out the username/password to the other customer
> (I opposed, but wasn't heard), and heard how the customer read out
> the directory listing, which the ISP confirmed, so apparently it
> works for them.
> 
> Before I go raise hell and high waters, could you please confirm
> that I am not smoking anything if I conclude that their Firewall
> must have an exception for the other client to allow FTP traffic?
> Mine certainly do not have an exception to deny FTP traffic only
> for this host...
> 
> Cheers,
> 

- --
Greg Ryman
Network Engineering Supervisor
Candylogic, LLC.
Email: gregr@candylogic.com
Office: 949-916-4444 x.203
Cell: 714-585-7312
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)

iD8DBQFE9IsH3nq9k6G+PM0RAhgXAKCK/O8Y8UDc5kwf2CHXxVfxpFDYjgCgpWnn
juxA3aceyxP3lb/aVux+21I=
=RZvA
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: reality check: passive FTP
  - From: Andrew Miehs <andrew@2sheds.de>
- Re: reality check: passive FTP
  - From: martin f krafft <madduck@debian.org>

References:
- reality check: passive FTP
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: reality check: passive FTP
Next by Date: Re: reality check: passive FTP
Previous by thread: Re: reality check: passive FTP
Next by thread: Re: reality check: passive FTP
Index(es):
- Date
- Thread