[Zope] FTP server hangs on ls, put, get, ...

Robert Segall roseg at apsis.ch
Wed Oct 1 13:13:55 EDT 2003 

On Wednesday 01 October 2003 19:02, Paul Winkler wrote:
> On Wed, Oct 01, 2003 at 10:33:43AM -0400, Ian Beatty wrote:
> > On Tue, 30 Sep 2003 15:02:39 -0400, Paul Winkler <pw_lists at slinkp.com> is
> >
> > reputed to have said:
> > > Is the server behind a firewall?
> > > I've never been able to get ftp working through a firewall.
> >
> > Yes, it is. I've got Zope's FTP running on 8021 and that port in the
> > firewall is open.
> >
> > Hmmm... I just tried turning off the firewall entirely, and FTP works. So
> > maybe it's a firewall issue and not a Zope issue after all. My commercial
> > service provider for a different Zope site I manage (Zettai.net) has FTP
> > working, and they're very security conscious, so they must have figured
> > out how to make it work.
> >
> > If anyone listening can tell me what firewall rules I'll need, I'd be
> > grateful. Since it's no longer a Zope-specific issue, maybe you should
> > just email me off-list.
>
> Well, I think this is relevant to zope...
> I'd be very curious to know what zettai does since I've never been
> able to get it to work. I seem to recall that my problems were compounded
> by the address in question being NATted. Don't remember for sure.
>
> The problem is that ftp is a stupid protocol that uses two ports,
> and you never know ahead of time what the second port is going to be,
> so you can't tell the firewall what port(s) to leave open for ftp.
> Some people suggest "passive mode" on the client but that doesn't
> help: it just means that the client, not the server, determines
> what the second port will be.
>
> This document may help:
> http://slacksite.com/other/ftp.html

The description is correct (FTP uses several ports) and the usual solution 
involves an FT proxy in conjunction with a range of ports that are allowed 
for its use. Thus you need:

- firewall that allows connecting to ports 20, 21 and some other range (lets 
say 55000-58000)
- an FTP proxy that is told to use this extra range for its connections.
- possibly a port redirection to the proxy

And yes, FTP is a stupid (and insecure) protocol...
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

More information about the Zope mailing list