You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "daniel damon (JIRA)" <ji...@apache.org> on 2011/03/05 00:12:47 UTC
[jira] Created: (NET-363) Can't connect to a server behind firewall
in passive mode
Can't connect to a server behind firewall in passive mode
---------------------------------------------------------
Key: NET-363
URL: https://issues.apache.org/jira/browse/NET-363
Project: Commons Net
Issue Type: Bug
Components: FTP
Affects Versions: 2.2
Environment: Windows Client with Zos mainframe server behind a firewall. However I think any client/server will demonstrate the issue as long as the server is behind a firewall.
Reporter: daniel damon
Priority: Blocker
When the FTP server is behind a firewall, FTPClient can connect, but it cannot transfer data. This is because the FTP server provides it's own address instead of the firewall address to make the connection. I have confirmed the problem by hacking a copy of FTPClient to set the __passiveHost to the appropriate internet address. With this hack, I can transfer data.
Perhaps the FTP server could be configured differently to fix the issue. Unfortunately, I do not have access to the server configuration. I do know that the commercial product IpswitchFtp does deal with the issue as this extract from it's log shows:
------------
PASV
227 Entering Passive Mode (192,168,13,11,195,129)
connecting data channel to 192.168.13.11:195,129(50049)
Substituting connection address 159.106.121.79 for private address 192.168.13.11 from PASV
data channel connected to 159.106.121.79:195,129(50049)
LIST
125 List started OK
transferred 4157 bytes in 0.078 seconds, 425.688 kbps ( 53.211 kBps), transfer succeeded.
250 List completed successfully.
QUIT
----------------------------
I can take a shot at a fix if you want. I'll set some timeout, and if that fails, I'll use the original address
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (NET-363) Can't connect to a server behind
firewall in passive mode
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/NET-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13004710#comment-13004710 ]
Sebb commented on NET-363:
--------------------------
Thanks, that's very helpful to know.
The fix is as follows:
If the PASV reply host is a local address, and the remote host is not local, then use the remote host address instead of the PASV reply. If both are local addresses, no changes are made.
I think this can only be a problem if there is some kind of NAT between the two local hosts, in which case I suspect the original connection would have to be made using a non-local address, and then the patch would apply.
If anyone finds otherwise, please re-open with details!
> Can't connect to a server behind firewall in passive mode
> ---------------------------------------------------------
>
> Key: NET-363
> URL: https://issues.apache.org/jira/browse/NET-363
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 2.2
> Environment: Windows Client with Zos mainframe server behind a firewall. However I think any client/server will demonstrate the issue as long as the server is behind a firewall.
> Reporter: daniel damon
> Priority: Blocker
> Fix For: 3.0
>
>
> When the FTP server is behind a firewall, FTPClient can connect, but it cannot transfer data. This is because the FTP server provides it's own address instead of the firewall address to make the connection. I have confirmed the problem by hacking a copy of FTPClient to set the __passiveHost to the appropriate internet address. With this hack, I can transfer data.
> Perhaps the FTP server could be configured differently to fix the issue. Unfortunately, I do not have access to the server configuration. I do know that the commercial product IpswitchFtp does deal with the issue as this extract from it's log shows:
> ------------
> PASV
> 227 Entering Passive Mode (192,168,13,11,195,129)
> connecting data channel to 192.168.13.11:195,129(50049)
> Substituting connection address 159.106.121.79 for private address 192.168.13.11 from PASV
> data channel connected to 159.106.121.79:195,129(50049)
> LIST
> 125 List started OK
> transferred 4157 bytes in 0.078 seconds, 425.688 kbps ( 53.211 kBps), transfer succeeded.
> 250 List completed successfully.
> QUIT
> ----------------------------
> I can take a shot at a fix if you want. I'll set some timeout, and if that fails, I'll use the original address
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (NET-363) Can't connect to a server behind
firewall in passive mode
Posted by "daniel damon (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/NET-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13002888#comment-13002888 ]
daniel damon commented on NET-363:
----------------------------------
Here is a diff for changes that I made that work for me:
28a29
> import java.net.SocketException;
285c286
<
---
> private boolean __useRemoteAddress = false;
592c593,602
< socket = _socketFactory_.createSocket(__passiveHost, __passivePort);
---
> //if __passiveHost fails, try the original InetAddress. Server may be behind firewall.
> if (__useRemoteAddress) {
> socket = _socketFactory_.createSocket(getRemoteAddress().getHostAddress(), __passivePort);
> }else try {
> socket = _socketFactory_.createSocket(__passiveHost, __passivePort);
> } catch (SocketException e) {
> socket = _socketFactory_.createSocket(getRemoteAddress().getHostAddress(), __passivePort);
> __useRemoteAddress=true;
> }
>
> Can't connect to a server behind firewall in passive mode
> ---------------------------------------------------------
>
> Key: NET-363
> URL: https://issues.apache.org/jira/browse/NET-363
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 2.2
> Environment: Windows Client with Zos mainframe server behind a firewall. However I think any client/server will demonstrate the issue as long as the server is behind a firewall.
> Reporter: daniel damon
> Priority: Blocker
>
> When the FTP server is behind a firewall, FTPClient can connect, but it cannot transfer data. This is because the FTP server provides it's own address instead of the firewall address to make the connection. I have confirmed the problem by hacking a copy of FTPClient to set the __passiveHost to the appropriate internet address. With this hack, I can transfer data.
> Perhaps the FTP server could be configured differently to fix the issue. Unfortunately, I do not have access to the server configuration. I do know that the commercial product IpswitchFtp does deal with the issue as this extract from it's log shows:
> ------------
> PASV
> 227 Entering Passive Mode (192,168,13,11,195,129)
> connecting data channel to 192.168.13.11:195,129(50049)
> Substituting connection address 159.106.121.79 for private address 192.168.13.11 from PASV
> data channel connected to 159.106.121.79:195,129(50049)
> LIST
> 125 List started OK
> transferred 4157 bytes in 0.078 seconds, 425.688 kbps ( 53.211 kBps), transfer succeeded.
> 250 List completed successfully.
> QUIT
> ----------------------------
> I can take a shot at a fix if you want. I'll set some timeout, and if that fails, I'll use the original address
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Resolved: (NET-363) Can't connect to a server behind
firewall in passive mode
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/NET-363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebb resolved NET-363.
----------------------
Resolution: Fixed
Fixed in SVN.
Please test if you can, and re-open if there are any problems.
> Can't connect to a server behind firewall in passive mode
> ---------------------------------------------------------
>
> Key: NET-363
> URL: https://issues.apache.org/jira/browse/NET-363
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 2.2
> Environment: Windows Client with Zos mainframe server behind a firewall. However I think any client/server will demonstrate the issue as long as the server is behind a firewall.
> Reporter: daniel damon
> Priority: Blocker
>
> When the FTP server is behind a firewall, FTPClient can connect, but it cannot transfer data. This is because the FTP server provides it's own address instead of the firewall address to make the connection. I have confirmed the problem by hacking a copy of FTPClient to set the __passiveHost to the appropriate internet address. With this hack, I can transfer data.
> Perhaps the FTP server could be configured differently to fix the issue. Unfortunately, I do not have access to the server configuration. I do know that the commercial product IpswitchFtp does deal with the issue as this extract from it's log shows:
> ------------
> PASV
> 227 Entering Passive Mode (192,168,13,11,195,129)
> connecting data channel to 192.168.13.11:195,129(50049)
> Substituting connection address 159.106.121.79 for private address 192.168.13.11 from PASV
> data channel connected to 159.106.121.79:195,129(50049)
> LIST
> 125 List started OK
> transferred 4157 bytes in 0.078 seconds, 425.688 kbps ( 53.211 kBps), transfer succeeded.
> 250 List completed successfully.
> QUIT
> ----------------------------
> I can take a shot at a fix if you want. I'll set some timeout, and if that fails, I'll use the original address
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (NET-363) Can't connect to a server behind
firewall in passive mode
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/NET-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13003039#comment-13003039 ]
Sebb commented on NET-363:
--------------------------
Note that using EPSV - ie ftpclient.setUseEPSVwithIPv4(true) - may also help, and this is available in v2.2
> Can't connect to a server behind firewall in passive mode
> ---------------------------------------------------------
>
> Key: NET-363
> URL: https://issues.apache.org/jira/browse/NET-363
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 2.2
> Environment: Windows Client with Zos mainframe server behind a firewall. However I think any client/server will demonstrate the issue as long as the server is behind a firewall.
> Reporter: daniel damon
> Priority: Blocker
>
> When the FTP server is behind a firewall, FTPClient can connect, but it cannot transfer data. This is because the FTP server provides it's own address instead of the firewall address to make the connection. I have confirmed the problem by hacking a copy of FTPClient to set the __passiveHost to the appropriate internet address. With this hack, I can transfer data.
> Perhaps the FTP server could be configured differently to fix the issue. Unfortunately, I do not have access to the server configuration. I do know that the commercial product IpswitchFtp does deal with the issue as this extract from it's log shows:
> ------------
> PASV
> 227 Entering Passive Mode (192,168,13,11,195,129)
> connecting data channel to 192.168.13.11:195,129(50049)
> Substituting connection address 159.106.121.79 for private address 192.168.13.11 from PASV
> data channel connected to 159.106.121.79:195,129(50049)
> LIST
> 125 List started OK
> transferred 4157 bytes in 0.078 seconds, 425.688 kbps ( 53.211 kBps), transfer succeeded.
> 250 List completed successfully.
> QUIT
> ----------------------------
> I can take a shot at a fix if you want. I'll set some timeout, and if that fails, I'll use the original address
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (NET-363) Can't connect to a server behind firewall
in passive mode
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/NET-363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebb updated NET-363:
---------------------
Fix Version/s: 3.0
> Can't connect to a server behind firewall in passive mode
> ---------------------------------------------------------
>
> Key: NET-363
> URL: https://issues.apache.org/jira/browse/NET-363
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 2.2
> Environment: Windows Client with Zos mainframe server behind a firewall. However I think any client/server will demonstrate the issue as long as the server is behind a firewall.
> Reporter: daniel damon
> Priority: Blocker
> Fix For: 3.0
>
>
> When the FTP server is behind a firewall, FTPClient can connect, but it cannot transfer data. This is because the FTP server provides it's own address instead of the firewall address to make the connection. I have confirmed the problem by hacking a copy of FTPClient to set the __passiveHost to the appropriate internet address. With this hack, I can transfer data.
> Perhaps the FTP server could be configured differently to fix the issue. Unfortunately, I do not have access to the server configuration. I do know that the commercial product IpswitchFtp does deal with the issue as this extract from it's log shows:
> ------------
> PASV
> 227 Entering Passive Mode (192,168,13,11,195,129)
> connecting data channel to 192.168.13.11:195,129(50049)
> Substituting connection address 159.106.121.79 for private address 192.168.13.11 from PASV
> data channel connected to 159.106.121.79:195,129(50049)
> LIST
> 125 List started OK
> transferred 4157 bytes in 0.078 seconds, 425.688 kbps ( 53.211 kBps), transfer succeeded.
> 250 List completed successfully.
> QUIT
> ----------------------------
> I can take a shot at a fix if you want. I'll set some timeout, and if that fails, I'll use the original address
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (NET-363) Can't connect to a server behind
firewall in passive mode
Posted by "Damon Dan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/NET-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13004682#comment-13004682 ]
Damon Dan commented on NET-363:
-------------------------------
Yes, I confirm that your changes work. I tested it on the original situation where the FTP server is behind a NAT firewall and provides a private address. I also tested it on another FTP server that is on the same private address as the FTP Client. I assume your patch has special code to handle this situation because it works OK. The only other place that it might fail would be from one private network to another - different network. Say, from 192.168.xxx.xxx to 10.xxx.xxx.xxx. I can imagine a scenario where it might cause a failure, but it seems remote.
> Can't connect to a server behind firewall in passive mode
> ---------------------------------------------------------
>
> Key: NET-363
> URL: https://issues.apache.org/jira/browse/NET-363
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 2.2
> Environment: Windows Client with Zos mainframe server behind a firewall. However I think any client/server will demonstrate the issue as long as the server is behind a firewall.
> Reporter: daniel damon
> Priority: Blocker
> Fix For: 3.0
>
>
> When the FTP server is behind a firewall, FTPClient can connect, but it cannot transfer data. This is because the FTP server provides it's own address instead of the firewall address to make the connection. I have confirmed the problem by hacking a copy of FTPClient to set the __passiveHost to the appropriate internet address. With this hack, I can transfer data.
> Perhaps the FTP server could be configured differently to fix the issue. Unfortunately, I do not have access to the server configuration. I do know that the commercial product IpswitchFtp does deal with the issue as this extract from it's log shows:
> ------------
> PASV
> 227 Entering Passive Mode (192,168,13,11,195,129)
> connecting data channel to 192.168.13.11:195,129(50049)
> Substituting connection address 159.106.121.79 for private address 192.168.13.11 from PASV
> data channel connected to 159.106.121.79:195,129(50049)
> LIST
> 125 List started OK
> transferred 4157 bytes in 0.078 seconds, 425.688 kbps ( 53.211 kBps), transfer succeeded.
> 250 List completed successfully.
> QUIT
> ----------------------------
> I can take a shot at a fix if you want. I'll set some timeout, and if that fails, I'll use the original address
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (NET-363) Can't connect to a server behind
firewall in passive mode
Posted by "Damon Dan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/NET-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13004639#comment-13004639 ]
Damon Dan commented on NET-363:
-------------------------------
Sorry - I've been out with the flu for the past couple of days.
But I suspect you are right. I'll see if I can test your changes.
Thanks,
Dan Damon
> Can't connect to a server behind firewall in passive mode
> ---------------------------------------------------------
>
> Key: NET-363
> URL: https://issues.apache.org/jira/browse/NET-363
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 2.2
> Environment: Windows Client with Zos mainframe server behind a firewall. However I think any client/server will demonstrate the issue as long as the server is behind a firewall.
> Reporter: daniel damon
> Priority: Blocker
> Fix For: 3.0
>
>
> When the FTP server is behind a firewall, FTPClient can connect, but it cannot transfer data. This is because the FTP server provides it's own address instead of the firewall address to make the connection. I have confirmed the problem by hacking a copy of FTPClient to set the __passiveHost to the appropriate internet address. With this hack, I can transfer data.
> Perhaps the FTP server could be configured differently to fix the issue. Unfortunately, I do not have access to the server configuration. I do know that the commercial product IpswitchFtp does deal with the issue as this extract from it's log shows:
> ------------
> PASV
> 227 Entering Passive Mode (192,168,13,11,195,129)
> connecting data channel to 192.168.13.11:195,129(50049)
> Substituting connection address 159.106.121.79 for private address 192.168.13.11 from PASV
> data channel connected to 159.106.121.79:195,129(50049)
> LIST
> 125 List started OK
> transferred 4157 bytes in 0.078 seconds, 425.688 kbps ( 53.211 kBps), transfer succeeded.
> 250 List completed successfully.
> QUIT
> ----------------------------
> I can take a shot at a fix if you want. I'll set some timeout, and if that fails, I'll use the original address
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (NET-363) Can't connect to a server behind
firewall in passive mode
Posted by "Sebb (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/NET-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13002901#comment-13002901 ]
Sebb commented on NET-363:
--------------------------
In NET-296 I wrote:
bq. But can a local address ever be valid if the original address was not local? I suspect not.
If this is true, then the code that handles the PASV reply can set __passiveHost accordingly, and there would be no need to use the try/catch (or cache the result in __useRemoteHost).
> Can't connect to a server behind firewall in passive mode
> ---------------------------------------------------------
>
> Key: NET-363
> URL: https://issues.apache.org/jira/browse/NET-363
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 2.2
> Environment: Windows Client with Zos mainframe server behind a firewall. However I think any client/server will demonstrate the issue as long as the server is behind a firewall.
> Reporter: daniel damon
> Priority: Blocker
>
> When the FTP server is behind a firewall, FTPClient can connect, but it cannot transfer data. This is because the FTP server provides it's own address instead of the firewall address to make the connection. I have confirmed the problem by hacking a copy of FTPClient to set the __passiveHost to the appropriate internet address. With this hack, I can transfer data.
> Perhaps the FTP server could be configured differently to fix the issue. Unfortunately, I do not have access to the server configuration. I do know that the commercial product IpswitchFtp does deal with the issue as this extract from it's log shows:
> ------------
> PASV
> 227 Entering Passive Mode (192,168,13,11,195,129)
> connecting data channel to 192.168.13.11:195,129(50049)
> Substituting connection address 159.106.121.79 for private address 192.168.13.11 from PASV
> data channel connected to 159.106.121.79:195,129(50049)
> LIST
> 125 List started OK
> transferred 4157 bytes in 0.078 seconds, 425.688 kbps ( 53.211 kBps), transfer succeeded.
> 250 List completed successfully.
> QUIT
> ----------------------------
> I can take a shot at a fix if you want. I'll set some timeout, and if that fails, I'll use the original address
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira