[Zope-dev] ZServer Ftp Active mode through firewall

Shane Hathaway shathaway@earthling.net
Thu, 18 May 2000 08:45:49 -0400 

Kent,

If possible, I'd like you to check whether the FTP server is trying to
make the connection from a port other than 20.  Then try out a
different FTP server that is working through the firewall (on active
mode connections) and see if it connects from port 20.  If so, we have
found the problem.  The solution is not obvious to me, however,
considering the restriction of allocation of ports below 1024. 
Guidance is welcome...

Shane

Kent Polk wrote:
> 
> I believe we discovered a problem with ZServer's ftp server.
> (Zope 2.1.6)
> 
> I posted the following to the collector:
> http://classic.zope.org:8080/Collector/1257/view
> 
> Has anyone else seen this problem? :
> 
> ----------------------
> It appears that ZServer's active ftp mode may be broken, but probably
> is only noticed when used in conjunction with a firewall.  Ftp
> Passive mode operates as expected and active mode operates as long
> as there is no firewall.
> 
> Observations (Active mode):
> - client connects, instructs server regarding data port to use.
> - server appears to never send port 20 reply to client, which is
>   required by the firewall to know that the data port needs to be
>   opened.
> - client waits on data port. If no firewall, the connection is
>   made. If firewall is blocking high port numbers, the firewall
>   never is instructed to open the data port which is indicated by
>   the server port 20 response (that is never sent), so no connection
>   is made.
> 
> I saw a number of discussions regarding this topic that indicated
> that improper DNS configuration was causing the problem. However,
> this is not the problem in our case. We first noticed that all
> passive (PASV) mode ftp clients worked correctly, then noticed that
> all ftp clients on the same subnet or outside the firewall worked
> correctly, then noticed that active clients inside the firewall
> were never receiving the port 20 response and that the firewall
> was blocking the data port from the server.
> 
> Comments?
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )