FTP PORT commands; how do they work?

[evilsaint]

Ok, I have half of the problem figured out, so please, somebody, ANYBODY, help me figure out the other half. I have 4Mbit up and down of bandwith that's aching to be used, and a whole buncha AT forum members who want some of my luscious 60GB's of music

I have an FTP server set up that's been serving a bunch of AT members here (check the OFFICIAL: Female Vocal Trance Thread for it's origination, and PM me for IP/L/P/etc...). Everybody who is trying to browse the server is connecting just fine, but half the people are timing out while retrieving the directory listing.

I've gone through the logs extensively and singled out the problematic users as all having PORT commands sent back to my server, after having logged in properly, with their *internal* IP's formatted in the commands. Example, user with IP x.x.x.x connects to server, authenticates, gets the intro message and everything, but then his client sends a PORT command with 192.168.x.x or 172.16.x.x or whichever internal network address his router (or DHCP 'server' of sorts) has assigned to him.

A bunch of the users have tried different clients, and i'm on my fourth different type of server SW, so I don't think it's a configuration issue or anything, so I would have to guess that it'd boil down to whatever routers the commands are going through, and what the hell those routers are doing to these PORT commands after they originate from the client machines.

I'm off my rocker trying to figure this thing out... I think i'm wearing a track in my keyboard between the letter keys that make up 'Google'... Any help? Also, if anybody is interested in trying their hand @ connecting to the server, PM me for the IP and L/P.

Any help is appreciated, 'cause i'm at my wit's end.

 

[spidey07]

they need to be in passive mode (and your server support it), or behind a firewall/router that knows how to handle FTP and actually change the information in the packet to the correct/natted address.

-edit-
in other words - it is a configuration issue.


This is well known with FTP. The control channel is from client to server. The data channel (another TCP connection) is established from the server to the client to transfer data/directory listings, etc. Passive mode is from the client only to get around NAT issues. Smart routers will realize the incoming TCP connection is from an established FTP connection and allow it through.

so those are the two choices - passive mode or a router/firewall that can handle FTP.

 

[evilsaint]

I could be mistaken, but i've seen a few logs where they switch to passive mode (PASV is the command, right? My FTP/mIRC days are way behind me...) and still can't retrieve the directory listing. I have no problems at all from any of the three computers on my network here, IE/Firefox or real FTP clients, Active or Passive, from inside the network, and also going out through my router and back by connecting to my external IP...

Could it be that they just need the proper ports forwarded on their routers too, or is there more than that? Should they be disabling the cheap-shod firewalls that run in most routers?

 

[spidey07]

found this to help you.

explains it all in detail

http://slacksite.com/other/ftp.html

 

[evilsaint]

Damn, where was that site when I was TS'ing this all day yesterday...? Thanks a bunch Spidey

 

[spidey07]

just google...

http://www.google.com/search?hl=en&q=ftp+server+nat+passive+firewall

edit - just make sure you aren't doing any port forwarding to your FTP server - that could break it. you need to forward all ports above 1024 to the ftp server as well. This is one of the primary reasons when you NAT an FTP server you do it at layer 3. Meaning IP address to IP address only, leave layer4 out of it.

even better
http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html

What i'm trying to say is this is well known with FTP. Very well known.

 

[SKC]

What about as a client trying to connect to the server? Is there anything that can be done, my side, to help enhance the process? From the log of the unsuccessful login attempt, it seems my program (Filezilla) has tried both active and passive mode to connect, but neither seems to work:

Status: Connecting to xx.xxx.xxx.xxx:xxxx ...
Status: Connected with xx.xxx.xxx.xxx:xxxx. Waiting for welcome message...
Response: 220 blah blah... if you can get the friggin' directory listing
Command: USER xxxxxx
Response: 331 Password required for xxxxxx.
Command: PASS *********
Response: 230 User ATuser logged in.
Command: FEAT
Response: 211-Extensions supported:
Response: REST STREAM
Response: SIZE
Response: MDTM
Response: XCRC
Response: XMD5
Response: XSHA1
Response: UTF8
Response: MODE Z
Response: AUTH
Response: PROT
Response: CLNT
Response: EPRT
Response: EPSV
Response: MLST type*;size*;modify*;create;
Response: SITE PSWD;ABOUT;ZONE
Response: 211 END
Command: CLNT FileZilla
Response: 200 ok
Command: OPTS UTF8 ON
Response: 220 UTF8 OPTS ON
Command: SYST
Response: 215 UNIX Type: L8
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: MODE Z
Response: 200 Mode set to Zlib.
Command: TYPE A
Response: 200 Type set to A.
Command: PASV
Response: 227 Entering Passive Mode (xxx,xxx,x,xx,xx,xxx). [network IP]
Command: LIST
Response: 150 Opening data connection for file list of "/"
Error: Transfer channel can't be opened. Reason: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Error: Could not retrieve directory listing
Command: PWD
Response: 503 Bad sequence of commands.
Command: TYPE A
Response: 503 Bad sequence of commands.
Response: 426 Can't open data connection or connection closed, transfer aborted.
Command: PWD
Response: 257 "/" is current directory.
Command: REST 0
Response: 350 Restarting at 0.
Command: PWD
Response: 257 "/" is current directory.
Command: PWD
Response: 257 "/" is current directory.
Command: REST 0
Response: 350 Restarting at 0.
Command: TYPE I
Response: 200 Type set to I.
Command: PWD
Response: 257 "/" is current directory.
Command: PWD
Response: 257 "/" is current directory.

any thoughts or advice would be greatly appreciated..
spidey, thanks for your research and links on this already.

 

[spidey07]

I don't know.

this right here...
"Response: 150 Opening data connection for file list of "/"
Error: Transfer channel can't be opened. Reason: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Error: Could not retrieve directory listing "

means it looks like a NAT/PAT problem and configuration on the client and server (you cannot open the data channel which is used to move data/directory listings). My guess would be there are not the proper ports forwarded to the server or the server is not doing a one-2-one NAT and instead is doing PAT - only forwarding certain TCP ports instead of what it should be doing - forwarding all ports to a host to the FTP server.

There are certain services that you don't want to PAT (port address translation) on and instead forward all ports or have a firewall that understand the application layer and modify the packets. FTP is one of them. These ports and connections don't follow the "normal" rules of TCP and negotiate other things at the application layer. Oracle/sqlnet, H.323 and others come to mind. But when you get into those protocols it all depends on what the firewall/nat device supports and what it can do...best to eliminate that from the equation.

From your post, you tried to set passive and the server accepted but when opening the channel it didn't work. I still say the server is not receiving/responding to the correct ports.

ps - I had better get full access for my postings. Especially since female vocal trances are my favs.


OP - PM me with a read user/pass and I'll run a full trace and figure it out for you. I'll of course be using the built in microsoft/unix FTP client because others aren't necessary.


OP:
what server are you using?
what router/firewall are you using?
what are your NAT/PAT translations rules on inbound connections to you?

 

[evilsaint]

Oh, full access to anybody @ all, but special... umm... fluffy access for you and all your help Spidey

I'm using the trial version of NoFeel Server. It's the best free server I could get with the most configuration options. I have a basic user account set up with read/create/etc... with it's root set as f:\mp3z\ on my computer/server.

I'm running no firewall whatsoever, SW or HW, and I have a Linksys WRT54G (I know, I know...) with any and every extraneous option shut down. It's also been flashed to the latest firmware b/c of some problems I had with BitTorrent

Oh, and you mentioned port-forwarding possibly breaking the server... umm... i'm forwarding the custom port # and the custom port # minus one to my machine (which is hosting the server).

Pm'd the connection info to you also, Spidey. Hack away

 

[spidey07]

I'm not hacking...


You are performing NAT with your "router" correct? Put the server in the "DMZ" and I bet that resolves you're issues. My guess is the router is not forwarding the ports properly.

I don't recommend putting machines in the "DMZ' - god I hate that word with SOHO "routers", but in your case it may indeed be necessary.

But from what you are saying that is indeed your problem. your router is turning away legitimate data channel connections on an already open FTP control channel.

*confirmed*
running on a non standard port confuses non-layer7 aware hardware (read just about anything)

I need a trace from your end to see what is happening. download ethereal and filter on my IP.

ps - you didn't mention non-standard port in the OP. But putting your server into a DMZ should resolve this. I DO NOT RECOMMEND putting into "the dmz" because it is a misnomer and I hate that term for SOHO gear. But it really may be your only solution. We need a way to translate all inbound requests, no matter what the port, to the server.

Normal routers/firewall can handle FTP because they can change the address information and know what to do with port 21. you are on a non-standard port and they don't know what to do with it.

 

[SKC]

:beer: for you.

 

[spike spiegal]

FYI - I have a couple of corporate FTP servers running as well as one at home - all on Windows. I've tried the FTP services built into Windows Server IIS, and a variety of third party FTP servers like Bullet.

I've found that the built in Windows FTP server with IIS (both server 2000 and 2003) is clunky and a pain to administer, but seems to have the least amount of problems with client connections. Given it's the least secure, that's no surprise given it's next to impossible to even hide directory names from non-authorized users. I prefer BulletFTP.

All my servers are routed via NAT routers and firewalls. To be honest, I haven't had to mess around much with this to make it work.

99% of my problems are with client machines. Usually somebody running a software firewall blocking outbound FTP (which is stupid by design if you ask me), or a Mac user. As I understand it, OSX has problems with passive FTP and requires a third party client to handle passive FTP correctly. Internet Explorer functions as a *basic* FTP client *OK* on it's own if you don't demand a lot from it.