Odd FTP Problems

David A. Bandel david
Mon May 17 11:48:32 PDT 2004 

On Wed, 18 Jun 2003 17:01:36 -0500
Jason Joines <joines at bus.okstate.edu> wrote:

[snip]
> 
> $ipchains -A input -s $anyhost -d $thishost 1024:65535 -p tcp -i eth0
> ! -y -j ACCEPT
> 
>   The users have IE x.x on win2k.  I had one of them try to retrieve a
>   
> file via the win2k command line and that worked just fine.  So, I
> tried Mozilla 1.4rc1 on my SuSE box.  Then I had the same problem as
> the users and the log showed rejections from my box to arbitrary high
> tcp ports on the server.
> 
>   It looks like the ftp in the browser's is doing something odd.  The 
> server is running wu-ftpd 2.60.

The FTP server isn't doing anything (odd or otherwise).
Command line ftp uses active FTP (works).
Browsers use passive FTP (doesn't work).

I'll bet you can't use ncftp from a command line in passive mode either.

Active FTP works by your client contacting the FTP server on port 21. 
You log in.  Then, all requests for data (ls, get, but not cd) cause the
server to open port 20 back to the client.

In passive FTP, the server is told _not_ to do this, but to use port 21
and a negotiated upper port (1024+) for the other half of the
connection.  This is failing.  

Take down your firewall, run tcpdump like this:
tcpdump -ni eth0 host $otherhost
(you can use either name or IP number for $otherhost)

connect via IE and transfer something.  This will show you what's going
on.
put your firewall back in place and do this again.

You haven't posted enough of your firewall to say where the problem is. 
What is policy and rules for input and output?

Also, if you really need a firewall, why use an ancient kernel? 
IPTables really is worth the effort for the stateful matching.  If you
want to go this route and need help, post here.

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
		Nemesis Racing Team motto
GPG key autoresponder:  mailto:david_key at pananix.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.linux-sxs.org/pipermail/linux-users/attachments/20030618/94066b09/attachment.pgp

More information about the Linux-users mailing list