[Zope-dev] Tyring to FTP to Zope running behind firewall, get login box but no directory listing

Richard Barrett R.Barrett@ftel.co.uk
Wed, 24 Apr 2002 10:58:16 +0100


At 17:52 23/04/2002 -0700, Jason Spisak wrote:
>It would appear that their FTP implementation is not working
>correctly, when connecting to a Zope FTP system behind a
>firewall.
>
>Zope is running on port 8880 and ftp service works fine from
>inside the firewall on port 8821.  From outside the firewall, I
>get a login prompt, enter my password, but then the directory
>listing never materializes.  Since I get the login prompt, it's
>not a firewall packet issue.

You cannot reach that conclusion without examining what the firewall is 
configured to do.

That said I'm a little surprised that the incoming connection to port 8821 
was allowed through the firewall unless some attempt has been made 
accommodate the Zope FTP server.

>Is this a known issue?  If anyone knows of any quick fixes for
>this, I'm wide open for ideas.

Allowing FTP through a firewall is a problem because of its need to use 
dynamically allocated high numbered ports (over 1024) for the data 
connections.

This is true for both normal and passive mode FTP although the precise 
nature of the problem will depend on whether you are trying to allow 
clients inside to FTP out or clients outside to FTP in.

A statefull firewall is often used as the solution to these problems.

But if the firewall is not configured to expect external FTP clients 
initiating incoming control connections to the port you Zope FTP server is 
listening on, i.e 8821, then it may not make appropriate inspections of 
that control connection leading to the subsequent data connections being 
disallowed. Your description of the problem hints at this sort of problem.

I'd talk to the maintainer of the firewall configuration as this is the 
most likely cause of the problem given that clients inside the firewall are 
able to use the Zope FTP server successfully.