You are viewing a plain text version of this content. The canonical link for it is here.
Posted to ftpserver-dev@incubator.apache.org by Atul Gohad <ag...@gmail.com> on 2007/10/19 14:33:35 UTC
Problem with Passive mode on FTPServer.
Hello,
I have configured the FTP server using default listener port 21 and another
( customized ) listener using port 22.
The other properties are replicated as provided in the FTP server download.
When I run FTP server with this configuration on windows it works fine, but
on Linux ( RHEL ) it fails.
Basically when the clients try to open a Passive data port ( during commands
such as ls , put, get), the opening of data connection is failing.
Have a couple of questions here:
1. What is the mode in which normally FTP clients are supposed to connect (
Active / Passive )?
Whats the default / recommended mode of operation?
2. There is a property setting of
config.listeners.default.data-connection.passive.external-address=192.1.2.3for
Apache FTP Server.
What is the significance of this property and what should be the value
provided for this? Should it be pointing to the ip address of the system
where the FTP server is running? I found this property some what related (
guessing by the name, and in the Server logs, it shows opening a passive
port connection on this ip with a random/ self generated port ). But not
sure if this configuration has something to do with the problem I see.
Any pointers on this would be really helpful.
Thanks,,
Atul Gohad.
Ftplet Idle time
Posted by "Janardhanan, Ajith (AJANARDH)" <AJ...@arinc.com>.
I have a an ftplet that needs to disconnect after 10 minutes of no
activity. I am calling the following method in my onConnect() method:
public FtpletEnum onLogin(FtpSession session, FtpRequest request,
FtpReplyOutput response)
throws FtpException, IOException
{
//set the max idle timeout
session.setMaxIdleTime(10);
return null;
}
However this does not seems working. Any idea where I am doing wrong?
Thanks
Ajith
Re: Problem with Passive mode on FTPServer.
Posted by Niclas Hedhman <ni...@hedhman.org>.
On Monday 22 October 2007 00:57, Clinton Foster wrote:
> One solution to the SSL/TLS problem would be for the FTP server to handle
> the CCC command. An FTP client can send this command to the server to drop
> out of secure mode long enough to send the PASV command, giving the
> firewall an opportunity to rewrite the response with the correct address.
> The client can then send the AUTH/SSL or AUTH/TLS sequence to return to
> secure mode. I don't know if there are plans for Apache FTP to implement
> CCC, but it would be a nice enhancement.
The plans include attracting more participation from "fresh blood". If you
feel you are up for this task, write the patch and you will likely be
rewarded (the Apache way) for your effort... ;o)
Cheers
--
Niclas Hedhman, Software Developer
I live here; http://tinyurl.com/2qq9er
I work here; http://tinyurl.com/2ymelc
I relax here; http://tinyurl.com/2cgsug
Re: Problem with Passive mode on FTPServer.
Posted by Clinton Foster <cf...@us.axway.com>.
One other comment on this subject...
If the control connection came through a firewall or load balancer that is
FTP-aware (as most are these days), when the FTP server returns the PASV
response to the client, the firewall will see that it contains a local
address (e.g. 10.10.1.5) and rewrite it with an external address. So,
assuming you have a firewall or load balancer that has been configured
properly for FTP, you may not have to explicitly configure the FTP server
with an external address.
An exception is SSL/TLS: Since the control connection is encrypted, the
firewall cannot eavesdrop on the protocol conversation. To handle this case
there is really no choice but to explicitly tell the FTP server what
external address to return to the client in response to the PASV command.
That's the purpose of
config.listeners.default.data-connection.passive.external-address.
One solution to the SSL/TLS problem would be for the FTP server to handle
the CCC command. An FTP client can send this command to the server to drop
out of secure mode long enough to send the PASV command, giving the firewall
an opportunity to rewrite the response with the correct address. The client
can then send the AUTH/SSL or AUTH/TLS sequence to return to secure mode. I
don't know if there are plans for Apache FTP to implement CCC, but it would
be a nice enhancement.
Clint
On 10/20/07 4:35 AM, "Niklas Gustavsson" <ni...@protocol7.com> wrote:
> Atul Gohad wrote:
>> Hello,
>> Have a couple of questions here:
>> 1. What is the mode in which normally FTP clients are supposed to connect (
>> Active / Passive )?
>> Whats the default / recommended mode of operation?
>
> When FTP was defined, Active mode was the normal. However, with the
> current frequent use of firewalls, passive is a better choice.
>
> Most clients in my experience still have active as the default.
>
>> 2. There is a property setting of
>>
config.listeners.default.data-connection.passive.external-address=192.1.2.3fo>>
r
>> Apache FTP Server.
>> What is the significance of this property and what should be the value
>> provided for this? Should it be pointing to the ip address of the system
>> where the FTP server is running? I found this property some what related (
>> guessing by the name, and in the Server logs, it shows opening a passive
>> port connection on this ip with a random/ self generated port ). But not
>> sure if this configuration has something to do with the problem I see.
>
> When the client tells the server that it wants to use passive mode (by
> sending the PASV commands), the server needs to tell the client where it
> should open the data connection (IP and port). Now, if the server is
> placed behind a NAT, the IP of the server box might not work for the
> client. Thus, this configuration tells the server to return that IP
> instead so that the client can connect via the NAT.
>
> You problem sounds like it could be as simple as a firewall on the
> Redhat box getting in the way.
>
> Hope that helps!
>
> /niklas
>
Re: Problem with Passive mode on FTPServer.
Posted by Niklas Gustavsson <ni...@protocol7.com>.
Atul Gohad wrote:
> Hello,
> Have a couple of questions here:
> 1. What is the mode in which normally FTP clients are supposed to connect (
> Active / Passive )?
> Whats the default / recommended mode of operation?
When FTP was defined, Active mode was the normal. However, with the
current frequent use of firewalls, passive is a better choice.
Most clients in my experience still have active as the default.
> 2. There is a property setting of
> config.listeners.default.data-connection.passive.external-address=192.1.2.3for
> Apache FTP Server.
> What is the significance of this property and what should be the value
> provided for this? Should it be pointing to the ip address of the system
> where the FTP server is running? I found this property some what related (
> guessing by the name, and in the Server logs, it shows opening a passive
> port connection on this ip with a random/ self generated port ). But not
> sure if this configuration has something to do with the problem I see.
When the client tells the server that it wants to use passive mode (by
sending the PASV commands), the server needs to tell the client where it
should open the data connection (IP and port). Now, if the server is
placed behind a NAT, the IP of the server box might not work for the
client. Thus, this configuration tells the server to return that IP
instead so that the client can connect via the NAT.
You problem sounds like it could be as simple as a firewall on the
Redhat box getting in the way.
Hope that helps!
/niklas