[Zope-dev] ftp problems

Leonardo Rochael Almeida leo@hiper.com.br
Thu, 9 Aug 2001 22:40:23 -0300


Hi Terry

On Fri, Aug 10, 2001 at 10:23:32AM +1000, Terry Kerr wrote:
> Hi,
> 
> [...]
> 
> I am FTPing from my box on a local network, though a
> gateway/firewall/masquerading box to the internet, through to a server
> running zope with ftp on port 21.  The server is running a ipfilter
> firewall, letting all connections out, but only port 80,21,20,443 in.
> The gateway box is linux running an ipchains firewall which lets every
> connectin out, and it has the ftp masquerading kernel module loaded.

Here is the key. the zope server ipfilter only lets specific ports in.

> The problem I have is that my ftp client (linux client, running in
> passive mode), will connect and authenticate to the zope ftp server, but
> I can't do anything else.  If I turn the firewall off on our remote
> server, then ftp works fine.  However, if I turn the firewall back on,
> but ftp from our gateway rather than my box behind the gateway, then ftp
> also works fine.  Also, if I turn off the zope server, and run a
> standard ftpd daemon on port 21 on our remote server, I can ftp to it
> fine with the firewall turned on.
> 
> So the problem is specific to zope+firewall+masquerading.  Remove either
> one of those and it works.
> 
> It makes be think that the ftp server in zope doesn't work in passive
> mode as it should?

Passive mode requires that the FTP server let in any connections on
high ports because your client will attempt to connect to a high port
to get data (such as file listings and file contents).

The weird part is that the other ftp daemon should accept connections
where zope wouldn't. Are you sure you are really using passive mode
all the time? Check with tcpdump or some other eavesdroping facility
which connections are being attempted.

In an active mode ftp session you should see as follow:

* your ftp client starts a tcp connection to port 21 of the ftp
server, authenticates and issues a request, such as file listing or
transfer.

* the ftp server starts a tcp connection (usually from port 21) to a
high port on your machine (on a masqueraded box, that only works if
you have ftp module loaded) to transfer the data from the request.

In passive mode what happens is.

* your ftp client starts a tcp connection to port 21 of the ftp
server, authenticates and issues a request, such as file listing or
transfer.

* your ftp client starts a tcp connection to a high port on the server
to receive the data.

check out where packets are actually getting to and you will know who
is blocking the traffic.

    Regards, Leo