ftp windoze <- fc3 works fine, ftp fc3 <- fc3 doesn't work? (for me)

Paul Howarth paul at city-fan.org
Mon Mar 14 15:15:41 UTC 2005 

Bob Brennan wrote:
> On Mon, 14 Mar 2005 14:23:24 +0000, Paul Howarth <paul at city-fan.org> wrote:
>>I suspect that there is a problem with NAT at either the client or
>>server end. A special ftp-aware address-conversion filter is needed in
>>the firewall setup to make NAT with ftp work properly.
> 
> 
> An ADSL router does the NAT conversion for me but since I run the main
> server on 10.0.0.10 and an emergency backup server on 10.0.0.11 I
> leave all ports open on the router, switch the NAT setting to "all
> incoming ports go to 10.0.0.[the one I want], and do all firewalling
> on the FC3 box(es).
> 
> But since "pass off" makes FC3 ftp work and Windoze ftp works all the
> time surely neither NAT nor firewalling can be the issue(?)

How do you know Windoze ftp works all the time? Have you tried it with 
an ftp client that is capable of working in passive mode (the regular 
Windows ftp client can't do this)?

>>>>>ftp> ls
>>>>>227 Entering Passive Mode (xx,xxx,xxx,xx,xxx,xxx).
>>>>>ftp: connect: No route to host
>>>>
>>>>Is there a layer of network address translation going on between client
>>>>and server?
>>>
>>>
>>>The symptoms are the same using an identical FC3 machine on the same
>>>LAN, from machine 10.0.0.11 to machine 10.0.0.10
>>
>>If you're actually using addresses 10.x.x.x, you could show the
>>addresses in use in the ftp dialogs instead of "x"ing them out. If the
>>address shown as "xxx"s in:
>>
>>227 Entering Passive Mode (xx,xxx,xxx,xx,xxx,xxx)
>>
>>does not look like a 10.x.x.x address then the server does not think
>>it's talking to a machine at 10.x.x.x and hence sends the response to
>>the wrong place.
> 
> 
> At the moment I am ftping the server from miles-away hence the x's
> would have revealed the real external IP of my server. The point I was
> trying to make with the tests from 10.0.0.11 is that it made no
> difference there or remotely - Windoze worked but FC3 would not.

Please show the addresses being used when you're using the LAN-based FC3 
client, which won't give away any "secret" addresses.

> But all will be well now once I configure proFTP to accept passive
> mode (but I won't do that if it breaks the Windoze access) and/or warn
> the user to use passive mode and binary just after connecting.

Your brain is still out of gear. It is passive mode that's broken. "Pass 
off" turns *off* passive mode.

ProFTPD is perfectly capable of using passive mode correctly. The 
problem is most likely in the firewall settings somewhere.

 > At least Linux users will be savy enough (one hopes) to know what
> entering "pass off" means.

One can hope but one may be disappointed...

Paul.

More information about the fedora-list mailing list