[Zope-dev] ZServer Ftp Active mode through firewall

Kent Polk kent@goathill.org
18 May 2000 17:48:43 GMT 

On 18 May 2000 08:45:02 -0500, Shane Hathaway wrote:
>Kent,
>
>If possible, I'd like you to check whether the FTP server is trying to
>make the connection from a port other than 20.  Then try out a

Ahhh! figured it out...

1) ZServer passive mode appears correct.
2) ZServer active mode responds on the *wrong port number*

Active mode is supposed to respond from port 20 for the data port
but ZServer is using a high port number, similar to passive mode.
Passive mode succeeds because the firewall allows outgoing high
port#'s, but blocks incoming high port#'s unless it sees a port 20
response from the outside server.

Active mode observed behavior with ZServer :
- client connects to server port 21, requests (high#) data port
- server responds from server high p# to client data port
- client receives data port response (unless firewall blocks)

>different FTP server that is working through the firewall (on active
>mode connections) and see if it connects from port 20.  If so, we have

Active mode observed behavior with WUFTP server :
- client connects to server port 21, requests (high#) data port
- server responds from server port 20 to client data port
- (firewall recognizes port 20 response, enables data port)
- client receives data port response

(Note that wuftpd runs as root...)

>found the problem.  The solution is not obvious to me, however,
>considering the restriction of allocation of ports below 1024. 

Exactly.  If ZServer isn't running with root privs, it *can't*
respond on port 20.

>Guidance is welcome...

What might be the recommended procedure to allow ZServer to open
port 20? Possibly detect if running with root privs and use port
20 instead of high port# for active mode?

If we could simply solve this problem by replacing our active ftp
clients with passive ones, it would be great, but it still doesn't
solve the problem of clients *elsewhere* which are running behind
a firewall and attempting to contact our server...

And here I thought active ftp clients had gone by the wayside years
ago, considering the problem they have with firewalls... Solaris,
RedHat, and NT still have active ftp clients by default, which are
the main clients boxes which will be hitting the server.

Thanks Much!