Re: [TCLUG:18144] Passive FTP

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:18144] Passive FTP
From: "Jeffrey C. Lehman" <jeffclehman@mediaone.net>
Date: Thu, 25 May 2000 22:25:13 -0500
In-Reply-To: <Pine.LNX.4.21.0005251556010.2788-100000@cerberus>
References: <4.3.1.2.20000524235909.02270008@pop.mn.mediaone.net>

Thanks for the replies, I haven't been able to reproduce the problem myself 
but a couple people are getting the error: 425 Can't build data connection 
: NO route to host The daemon is attached to port 60000. I'm configuring my 
firewall to only let connections to that port in from a certain IP:

/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $GLFTP1 -d $EXTIP 60000
/sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $GLFTP1 -d $EXTIP 59999

and output on any port. I wouldn't doubt that i'm missing something really 
easy here. Let me know if you have any insight, it would be really nice if 
i could configure it for passive access. It seems like they're able to 
access wu-ftpd on ports 21 so i thought of moving it down there.

On another note, i'm also having problems with samba connections, i just 
upgraded to 2.0.7 and am getting errors in my /var/log/messages:

May 25 20:22:38 Obelix kernel: smb_trans2_request: result=-32, setting invalid
May 25 20:22:38 Obelix kernel: smb_retry: new pid=19308, generation=11
May 25 22:03:39 Obelix kernel: smb_trans2_request: result=-32, setting invalid

May 25 22:03:40 Obelix kernel: smb_retry: new pid=19347, generation=8
May 25 22:03:40 Obelix kernel: smb_trans2_request: result=-32, setting invalid
May 25 22:03:40 Obelix kernel: smb_retry: new pid=19308, generation=12
May 25 22:03:40 Obelix kernel: smb_trans2_request: result=-32, setting invalid
May 25 22:03:40 Obelix kernel: smb_retry: new pid=19351, generation=8
May 25 22:03:40 Obelix kernel: smb_trans2_request: result=-32, setting invalid
May 25 22:03:41 Obelix kernel: smb_retry: new pid=19360, generation=7

if it matters i'm mounting windows 2000 shares with
'mount -t smbfs -o guest //putername/share /dir/to/mount/to'

i don't see any pattern to the errors and i don't know if there is any 
event correlating to them.

Thanks for anyones help

Jeff

At 04:10 PM Thursday, 5/25/2000, you wrote:
>LONG REPLY but quite informative for the curious.
>(quick summary at end)
>
>On Thu, 25 May 2000, Jeffrey C. Lehman wrote:
>
> > I'm wondering if someone could explain or tell me where some good
> > documentation is regarding passive ftp transfer.  If the default port for
> > ftp is on 21 i think passive ftp also needs port 20.  If the port was
> > higher up, say port 25000, would passive use the next lowest port,
> > 24999?  I'm also wondering if someone could explain what input and output
> > commands i'd need for ipchains.  TIA.
> >
> > Jeff
>
>Here's a quick hands-on example of passive FTP:
>What I type will be in {}, what the server responds is in plaintext.
>My comments are in []
>
>-=-
>
>[jbevren@cerberus jbevren]$ {telnet localhost 21}
>
>[of course, port 21 is the ftp port]
>
>Trying 127.0.0.1...
>Connected to localhost.
>Escape character is '^]'.
>220 cerberus FTP server (Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT
>1999) ready.
>
>{user jbevren}
>
>331 Password required for jbevren.
>
>{pass <password>}
>
>230 User jbevren logged in.
>
>{pasv}
>
>[this is what your client sends to indicate that passive mode is needed]
>
>227 Entering Passive Mode (127,0,0,1,244,246)
>
>[this is the magical line.  Look at the numbers.
>   127.0.0.1 is the address to connect to,
>   244,246 are a pair of octets indicating the port to connect to.
>   244*256+246=62710.  I telnet localhost 62710 in another terminal,
>    and get an open connection.  The tranfer phase is prepared.]
>
>{list}
>
>150 Opening ASCII mode data connection for /bin/ls.
>
>[at this point, the directory scrolls through the other terminal.  One
>     of the files is tfb.tcl.]
>
>226 Transfer complete.
>
>[the connection I made previously is closed.]
>
>{pasv}
>
>[this must be done for EVERY transfer to be made.]
>
>227 Entering Passive Mode (127,0,0,1,122,244)
>
>[ 122*256+244=31476, I telnet to port 31476, connect.]
>
>{get tfb.tcl}
>500 'GET tfb.tcl': command not understood.
>
>[oops <:-)]
>
>{retr tfb.tcl}
>150 Opening ASCII mode data connection for tfb.tcl (7328 bytes).
>
>[tfb.tcl dumps out in the other window..]
>
>226 Transfer complete.
>
>[and its connection is closed by foreign host]
>
>{quit}
>
>221 Goodbye.
>
>[bye]
>
>Connection closed by foreign host.
>[jbevren@cerberus jbevren]$
>
>-=-
>
>Passive ftp is quite simple to write for, but not so simple to set up chains
>for.  I havent studied any ftp server documentation to see if you can tie a
>server to a specific ftp port for passive transfers.  However, it can be
>difficult for a server to serve more than one transfer at once if there's
>only one or a few ports available.  Your mileage, of course, will vary.  I
>recommend, if you can, tying the ftp server to a set of ports at 65000 to
>65535, and setting ipchains up appropriately.  Active FTP, of course, is
>always more secure, break-in wise, since the ftp server makes the transfer
>connection instead of accepting it.
>
>-David
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
>For additional commands, e-mail: tclug-list-help@mn-linux.org

References:
- Passive FTP
  - From: "Jeffrey C. Lehman" <jeffclehman@mediaone.net>
- Re: [TCLUG:18144] Passive FTP
  - From: David Wood <jbevren@yahoo.com>

Prev by Date: Re: [TCLUG:18154] writing audio CDs
Next by Date: Re: [TCLUG:18170] why disconnects?
Prev by thread: Re: [TCLUG:18144] Passive FTP
Next by thread: Ghost TTY Logins
Index(es):
- Date
- Thread