You are viewing a plain text version of this content. The canonical link for it is here.
Posted to ftpserver-dev@incubator.apache.org by Clinton Foster <cf...@us.axway.com> on 2007/06/01 01:23:29 UTC
Re: non local connection does not connect
This point may have been lost in my earlier append because it was a little
long-winded, but in addition to ensuring connections to passive ports are
allowed inbound through the firewall, you also have to ensure the IP address
the server sends in response to the client's PASV request is a valid
external address. This is not something the server can do automatically for
you. It doesn't know the external address of the firewall.
As I mentioned previously, most corporate firewalls are FTP-aware, and they
will automatically convert the local address in the server's PASV response
(e.g. 10.10.0.1) to the external address of the firewall (e.g.
172.25.32.55). One exception is if you are using a control port other than
21 you generally have to explicitly configure the firewall to be FTP-aware
on that port.
If the client is connecting over SSL, or if you are using a firewall that
isn't FTP-aware, you need to explicitly configure the FTP server with the
correct external address to send in response to PASV requests, e.g.:
config.listeners.default.data-connection.passive.external-address="x.x.x.x"
If this doesn't work, I could try and connect to your server to debug the
conversation if you send me the necessary information offline. One thing
that concerns me is that there are no further commands after PASV in your
debug log. Even if the server is sending back an unusable address, your
client should send the LIST or NLST request after the PASV request. Then it
should fail when it tries to open a connection to retrieve the listing. But
perhaps your client isn't logging anything at all if the LIST or NLST
attempt fails.
Clint
On 5/31/07 4:48 PM, "Ran" <ra...@gmail.com> wrote:
> Thanks Niklas,
>
> Yes I have turned off windows firewall completely to test pasv data
> connections. what I have observed is:
> active has to be enabled to work with pasv connection, and port of pasv has
> to be set to 0 (auto).
>
> May I ask for your conf file that works with inbound connection from the
> internet ? since there are some options for the conf that aren't documented
> (i.e. leave it blank) and I can't seem to get a robust settings for internet
> users after many tries.
>
> I still stick to this FTP server is because I love the FTPlets, I myself is
> a innovative developer who loves open source solutions and extensions, I
> wonder how difficult to become an Apache commiter.
>
> Best Regards,
> Ran
>
> On 5/31/07, Niklas Gustavsson <ni...@protocol7.com> wrote:
>>
>> The log below indicates that you get the error when doing a listing
>> rather than switching directory. A listing would need to open the data
>> connection socket, something which might get stopped by a firewall. Have
>> you been able to shut down your firewall to test this without it?
>>
>> /niklas
>>
>> Ran wrote:
>>> When I try to switch directory I get a timeout error, any idea ?
>>> ==========================================
>>> Response: 257 "/d" is current directory.
>>> Command: TYPE A
>>> Response: 200 Command TYPE okay.
>>> Command: PASV
>>> Error: Disconnected from server
>>> Error: Could not retrieve directory listing
>>> Error: Timeout detected!
>>> ==========================================
>>>
>>> On 5/30/07, Ran <ra...@gmail.com> wrote:
>>>>
>>>> Thanks Clint and Niklas,
>>>> For port range configuration on pasv ports, the ' 123-125' seem to
>>>> cause a
>>>> IllegalNumberFormat Exception, '123,124,125' works for me.
>>>> Why active mode data directory listing takes a sec to respond where as
>>>> pasv mode almost instant ?
>>>>
>>>> ran
>>>>
>>>> On 5/30/07, Clinton Foster
>>>> <cf...@us.axway.com> wrote:
>>>>>
>>>>> Ran,
>>>>>
>>>>> I think you mentioned the firewall had been disabled, but just in
>>>>> case...
>>>>>
>>>>> To handle clients that are connecting in passive mode (which is
>>>>> preferred),
>>>>> it is not sufficient to simply open port 21 on the firewall. If the
>>>>> server
>>>>> is behind a firewall and the client is connecting from outside the
>>>>> firewall,
>>>>> the firewall must be configured to dynamically open ports for inbound
>>>>> passive connections from any IP address that already has a control
>>>>> connection to the server. Most modern corporate firewalls can be
>>>>> configured
>>>>> to do this. Note that this won¹t work for SSL connections because the
>>>>> firewall can¹t monitor the control connection to figure out what
>>>> passive
>>>>>
>>>>> port to dynamically open. Also, it won¹t work with simple firewalls
>>>> like
>>>>> the
>>>>> Windows firewall. In either of these cases you have to explicitly
>>>>> configure
>>>>> the firewall to allow a range of ports for passive connections, and
>>>>> configure the allowed passive ports on the FTP server with the same
>>>>> range.
>>>>> (In the case of the Windows firewall this is tedious because it does
>>>> not
>>>>> allow configuring a range.)
>>>>>
>>>>> http://incubator.apache.org/ftpserver/configure-passive-ports.html
>>>>>
>>>>> The other potential issue, as Niklas pointed out, is NAT. When the
>>>>> client
>>>>> sends the PASV command to the server, the server¹s response includes
>>>>> both
>>>>> the IP address and the port to which the client must connect to
>> perform
>>>>> the
>>>>> data transfer. If the firewall is FTP-aware it will automatically
>>>>> rewrite
>>>>> the IP address with the external address of the firewall (instead of
>>>> the
>>>>>
>>>>> local address of the server). Here again, this won¹t work in the
>>>> case of
>>>>> SSL, and I¹m pretty sure it won¹t work with the Windows firewall. To
>>>>> handle
>>>>> these cases the server must be explicitly configured with the
>> external
>>>>> address of the firewall. I think the documentation has not yet been
>>>>> updated
>>>>> to reflect this, but I believe the configuration parameter is as
>>>>> follows:
>>>>> (Niklas, correct me if I¹m wrong...)
>>>>>
>>>>> config.listeners.default.data-connection.passive.external-address
>>>>>
>>>>> Don¹t confuse this parameter with
>>>>> config.listeners.default.data-connection.passive.address, which is
>> the
>>>>> local
>>>>> network interface that server sockets for accepting passive
>> connections
>>>>> should bind to. (Normally you can leave the default for this one.)
>>>>>
>>>>> Thanks to firewalls, hosting an FTP server is a little tricky from a
>>>>> configuration standpoint. Clients don¹t have to worry so much since
>>>>> passive
>>>>> connections are the norm these days, but this puts more onus on the
>>>>> server
>>>>> administrator. One thing that seems clear is that you should not use
>>>> the
>>>>> Windows firewall if you are hosting an FTP server for non-trivial
>>>>> purposes.
>>>>>
>>>>> We should probably add a section to the documentation about this
>>>> general
>>>>>
>>>>> subject.
>>>>>
>>>>> Clint Foster
>>>>>
>>>>>
>>>>> On 5/30/07 11:59 AM, "Niklas Gustavsson"
>>>> <ni...@protocol7.com> wrote:
>>>>>
>>>>>> From the log it looks like you have a problem with opening the
>> data
>>>>>> connection socket. It's likely due to a firewall or NAT issue.
>> Since
>>>>>> your in active mode, the server needs to be able to open a socket
>> to
>>>>> the
>>>>>> client (and pass any firewalls, resolve the IP). You could try to
>> run
>>>>> in
>>>>>> passive mode instead.
>>>>>>
>>>>>> /niklas
>>>>>>
>>>>>> Ran wrote:
>>>>>>> Now I the server can't seem to retrieve directory listing :-(
>>>>>>> i have my account directory set to E:\www\ftp\admin in database.
>>>>> Could
>>>>>>> it be
>>>>>>> a slash problem ?
>>>>>>>
>>>>>>> thanks again,
>>>>>>> ran
>>>>>>> =================================
>>>>>>> Response: 230 User logged in, proceed.
>>>>>>> Command: FEAT
>>>>>>> Response: 211-Extensions supported
>>>>>>> Response: SIZE
>>>>>>> Response: MDTM
>>>>>>> Response: REST STREAM
>>>>>>> Response: LANG en;zh-tw;ja;is
>>>>>>> Response: MLST Size;Modify;Type;Perm
>>>>>>> Response: AUTH SSL
>>>>>>> Response: AUTH TLS
>>>>>>> Response: MODE Z
>>>>>>> Response: UTF8
>>>>>>> Response: TVFS
>>>>>>> Response: 211 End
>>>>>>> Command: SYST
>>>>>>> Response: 215 UNIX Type: Apache FTP Server
>>>>>>> Status: Connected
>>>>>>> Status: Retrieving directory listing...
>>>>>>> Command: PWD
>>>>>>> Response: 257 "/" is current directory.
>>>>>>> Command: TYPE A
>>>>>>> Response: 200 Command TYPE okay.
>>>>>>> Command: PASV
>>>>>>> Error: Disconnected from server
>>>>>>> Error: Could not retrieve directory listing
>>>>>>> Error: Timeout detected!
>>>>>>> ========================================
>>>>>>>
>>>>>>> On 5/30/07, Ran <ra...@gmail.com>
>>>> wrote:
>>>>>>>>
>>>>>>>> Removing localhost worked for me :-) thanks Dave.
>>>>>>>> however I tried my real ip address instead of localhost in
>> address
>>>>>>>> element, weird it didn't turn out any good.
>>>>>>>>
>>>>>>>> thanks,
>>>>>>>> ran
>>>>>>>>
>>>>>>>> On 5/30/07, Dave Roberts
>>>>>>>> <da...@saaconsultants.com>
>>>> wrote:
>>>>>>>>>
>>>>>>>>> Ran wrote:
>>>>>>>>>> I tried turn off windows firewall, it didn't work.
>>>>>>>>>> I created a couple account, I could only login with them when
>>>>>>>>> connecting to
>>>>>>>>>> localhost.
>>>>>>>>>
>>>>>>>>> Your config is set to create the listener on the localhost only.
>>>>>>>>> This means the loopback interface (which has an IP address of
>>>>>>>>> 127.0.0.1). Therefore the server can only accept connections
>> that
>>>>>>>>> come in on that interface - which results in what you are
>> seeing:
>>>>>>>>> connections work when you use "localhost", but not when you use
>>>>> your
>>>>>>>>> real hostname or real IP address.
>>>>>>>>>
>>>>>>>>> In your config, remove the localhost setting from the <address>
>>>>>>>>> parameter, and this will tell the server to open up a listener
>> on
>>>>>>>>> all interfaces for your system. You'll then be able to access
>> it
>>>>>>>>> using your real hostname, and from other machines.
>>>>>>>>>
>>>>>>>>> Hope this makes sense.
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>
>
response.write() question
Posted by "Janardhanan, Ajith (AJANARDH)" <AJ...@arinc.com>.
I have an ftplet from which I am calling my code to display the messages
in a JMS queue, when the user does a list command. I am getting the
message size and message id from the JMS system and displaying it at
the ftp command window by the following code:
public FtpletEnum onListStart(FtpSession session, FtpRequest request,
FtpReplyOutput response)
throws FtpException, IOException {
//for all the messages in the msgList, display the list info
for(int i=0;i<=msgList.size(); i++) {
try{
msg = (Message) msgList.get(i);
queue.get(msg, gmo);
response.write(new DefaultFtpReply(msg.size(),msg.id));
}catch(MQException ex) {
log(ex.toString);
}
}
Now, the problem is that on the user ftp command window, not all the
list elements are printed. I think at response.write() there is some
kind of buffering going on and the buffer is flushed only at the time of
exit from ftp. I would appreciate if anyone can point me where I am
making the mistake or a better way of doing it.
Thanks
Ajith
Re: non local connection does not connect
Posted by Ran <ra...@gmail.com>.
Thanks Clinton, your explanation was very informative.
On 5/31/07, Clinton Foster <cf...@us.axway.com> wrote:
>
> This point may have been lost in my earlier append because it was a little
> long-winded, but in addition to ensuring connections to passive ports are
> allowed inbound through the firewall, you also have to ensure the IP
> address
> the server sends in response to the client's PASV request is a valid
> external address. This is not something the server can do automatically
> for
> you. It doesn't know the external address of the firewall.
There are only three addresses I could try: 127.0.0.1, 192.168.0.2 and
24.83.*.*
so I tried them all and guess which one worked ;-)
As I mentioned previously, most corporate firewalls are FTP-aware, and they
> will automatically convert the local address in the server's PASV response
> (e.g. 10.10.0.1) to the external address of the firewall (e.g.
> 172.25.32.55). One exception is if you are using a control port other than
> 21 you generally have to explicitly configure the firewall to be FTP-aware
> on that port.
>
> If the client is connecting over SSL, or if you are using a firewall that
> isn't FTP-aware, you need to explicitly configure the FTP server with the
> correct external address to send in response to PASV requests, e.g.:
>
> config.listeners.default.data-connection.passive.external-address="x.x.x.x
> "
>
> If this doesn't work, I could try and connect to your server to debug the
> conversation if you send me the necessary information offline. One thing
> that concerns me is that there are no further commands after PASV in your
> debug log. Even if the server is sending back an unusable address, your
> client should send the LIST or NLST request after the PASV request. Then
> it
> should fail when it tries to open a connection to retrieve the listing.
> But
> perhaps your client isn't logging anything at all if the LIST or NLST
> attempt fails.
>
> Clint
>
> On 5/31/07 4:48 PM, "Ran" <ra...@gmail.com> wrote:
>
> > Thanks Niklas,
> >
> > Yes I have turned off windows firewall completely to test pasv data
> > connections. what I have observed is:
> > active has to be enabled to work with pasv connection, and port of pasv
> has
> > to be set to 0 (auto).
> >
> > May I ask for your conf file that works with inbound connection from the
> > internet ? since there are some options for the conf that aren't
> documented
> > (i.e. leave it blank) and I can't seem to get a robust settings for
> internet
> > users after many tries.
> >
> > I still stick to this FTP server is because I love the FTPlets, I myself
> is
> > a innovative developer who loves open source solutions and extensions, I
> > wonder how difficult to become an Apache commiter.
> >
> > Best Regards,
> > Ran
> >
> > On 5/31/07, Niklas Gustavsson <ni...@protocol7.com> wrote:
> >>
> >> The log below indicates that you get the error when doing a listing
> >> rather than switching directory. A listing would need to open the data
> >> connection socket, something which might get stopped by a firewall.
> Have
> >> you been able to shut down your firewall to test this without it?
> >>
> >> /niklas
> >>
> >> Ran wrote:
> >>> When I try to switch directory I get a timeout error, any idea ?
> >>> ==========================================
> >>> Response: 257 "/d" is current directory.
> >>> Command: TYPE A
> >>> Response: 200 Command TYPE okay.
> >>> Command: PASV
> >>> Error: Disconnected from server
> >>> Error: Could not retrieve directory listing
> >>> Error: Timeout detected!
> >>> ==========================================
> >>>
> >>> On 5/30/07, Ran <ra...@gmail.com> wrote:
> >>>>
> >>>> Thanks Clint and Niklas,
> >>>> For port range configuration on pasv ports, the ' 123-125' seem to
> >>>> cause a
> >>>> IllegalNumberFormat Exception, '123,124,125' works for me.
> >>>> Why active mode data directory listing takes a sec to respond where
> as
> >>>> pasv mode almost instant ?
> >>>>
> >>>> ran
> >>>>
> >>>> On 5/30/07, Clinton Foster
> >>>> <cf...@us.axway.com> wrote:
> >>>>>
> >>>>> Ran,
> >>>>>
> >>>>> I think you mentioned the firewall had been disabled, but just in
> >>>>> case...
> >>>>>
> >>>>> To handle clients that are connecting in passive mode (which is
> >>>>> preferred),
> >>>>> it is not sufficient to simply open port 21 on the firewall. If the
> >>>>> server
> >>>>> is behind a firewall and the client is connecting from outside the
> >>>>> firewall,
> >>>>> the firewall must be configured to dynamically open ports for
> inbound
> >>>>> passive connections from any IP address that already has a control
> >>>>> connection to the server. Most modern corporate firewalls can be
> >>>>> configured
> >>>>> to do this. Note that this won¹t work for SSL connections because
> the
> >>>>> firewall can¹t monitor the control connection to figure out what
> >>>> passive
> >>>>>
> >>>>> port to dynamically open. Also, it won¹t work with simple firewalls
> >>>> like
> >>>>> the
> >>>>> Windows firewall. In either of these cases you have to explicitly
> >>>>> configure
> >>>>> the firewall to allow a range of ports for passive connections, and
> >>>>> configure the allowed passive ports on the FTP server with the same
> >>>>> range.
> >>>>> (In the case of the Windows firewall this is tedious because it does
> >>>> not
> >>>>> allow configuring a range.)
> >>>>>
> >>>>> http://incubator.apache.org/ftpserver/configure-passive-ports.html
> >>>>>
> >>>>> The other potential issue, as Niklas pointed out, is NAT. When the
> >>>>> client
> >>>>> sends the PASV command to the server, the server¹s response includes
> >>>>> both
> >>>>> the IP address and the port to which the client must connect to
> >> perform
> >>>>> the
> >>>>> data transfer. If the firewall is FTP-aware it will automatically
> >>>>> rewrite
> >>>>> the IP address with the external address of the firewall (instead of
> >>>> the
> >>>>>
> >>>>> local address of the server). Here again, this won¹t work in the
> >>>> case of
> >>>>> SSL, and I¹m pretty sure it won¹t work with the Windows firewall. To
> >>>>> handle
> >>>>> these cases the server must be explicitly configured with the
> >> external
> >>>>> address of the firewall. I think the documentation has not yet been
> >>>>> updated
> >>>>> to reflect this, but I believe the configuration parameter is as
> >>>>> follows:
> >>>>> (Niklas, correct me if I¹m wrong...)
> >>>>>
> >>>>> config.listeners.default.data-connection.passive.external-address
> >>>>>
> >>>>> Don¹t confuse this parameter with
> >>>>> config.listeners.default.data-connection.passive.address, which is
> >> the
> >>>>> local
> >>>>> network interface that server sockets for accepting passive
> >> connections
> >>>>> should bind to. (Normally you can leave the default for this one.)
> >>>>>
> >>>>> Thanks to firewalls, hosting an FTP server is a little tricky from a
> >>>>> configuration standpoint. Clients don¹t have to worry so much since
> >>>>> passive
> >>>>> connections are the norm these days, but this puts more onus on the
> >>>>> server
> >>>>> administrator. One thing that seems clear is that you should not use
> >>>> the
> >>>>> Windows firewall if you are hosting an FTP server for non-trivial
> >>>>> purposes.
> >>>>>
> >>>>> We should probably add a section to the documentation about this
> >>>> general
> >>>>>
> >>>>> subject.
> >>>>>
> >>>>> Clint Foster
> >>>>>
> >>>>>
> >>>>> On 5/30/07 11:59 AM, "Niklas Gustavsson"
> >>>> <ni...@protocol7.com> wrote:
> >>>>>
> >>>>>> From the log it looks like you have a problem with opening the
> >> data
> >>>>>> connection socket. It's likely due to a firewall or NAT issue.
> >> Since
> >>>>>> your in active mode, the server needs to be able to open a socket
> >> to
> >>>>> the
> >>>>>> client (and pass any firewalls, resolve the IP). You could try to
> >> run
> >>>>> in
> >>>>>> passive mode instead.
> >>>>>>
> >>>>>> /niklas
> >>>>>>
> >>>>>> Ran wrote:
> >>>>>>> Now I the server can't seem to retrieve directory listing :-(
> >>>>>>> i have my account directory set to E:\www\ftp\admin in database.
> >>>>> Could
> >>>>>>> it be
> >>>>>>> a slash problem ?
> >>>>>>>
> >>>>>>> thanks again,
> >>>>>>> ran
> >>>>>>> =================================
> >>>>>>> Response: 230 User logged in, proceed.
> >>>>>>> Command: FEAT
> >>>>>>> Response: 211-Extensions supported
> >>>>>>> Response: SIZE
> >>>>>>> Response: MDTM
> >>>>>>> Response: REST STREAM
> >>>>>>> Response: LANG en;zh-tw;ja;is
> >>>>>>> Response: MLST Size;Modify;Type;Perm
> >>>>>>> Response: AUTH SSL
> >>>>>>> Response: AUTH TLS
> >>>>>>> Response: MODE Z
> >>>>>>> Response: UTF8
> >>>>>>> Response: TVFS
> >>>>>>> Response: 211 End
> >>>>>>> Command: SYST
> >>>>>>> Response: 215 UNIX Type: Apache FTP Server
> >>>>>>> Status: Connected
> >>>>>>> Status: Retrieving directory listing...
> >>>>>>> Command: PWD
> >>>>>>> Response: 257 "/" is current directory.
> >>>>>>> Command: TYPE A
> >>>>>>> Response: 200 Command TYPE okay.
> >>>>>>> Command: PASV
> >>>>>>> Error: Disconnected from server
> >>>>>>> Error: Could not retrieve directory listing
> >>>>>>> Error: Timeout detected!
> >>>>>>> ========================================
> >>>>>>>
> >>>>>>> On 5/30/07, Ran <ra...@gmail.com>
> >>>> wrote:
> >>>>>>>>
> >>>>>>>> Removing localhost worked for me :-) thanks Dave.
> >>>>>>>> however I tried my real ip address instead of localhost in
> >> address
> >>>>>>>> element, weird it didn't turn out any good.
> >>>>>>>>
> >>>>>>>> thanks,
> >>>>>>>> ran
> >>>>>>>>
> >>>>>>>> On 5/30/07, Dave Roberts
> >>>>>>>> <da...@saaconsultants.com>
> >>>> wrote:
> >>>>>>>>>
> >>>>>>>>> Ran wrote:
> >>>>>>>>>> I tried turn off windows firewall, it didn't work.
> >>>>>>>>>> I created a couple account, I could only login with them when
> >>>>>>>>> connecting to
> >>>>>>>>>> localhost.
> >>>>>>>>>
> >>>>>>>>> Your config is set to create the listener on the localhost only.
> >>>>>>>>> This means the loopback interface (which has an IP address of
> >>>>>>>>> 127.0.0.1). Therefore the server can only accept connections
> >> that
> >>>>>>>>> come in on that interface - which results in what you are
> >> seeing:
> >>>>>>>>> connections work when you use "localhost", but not when you use
> >>>>> your
> >>>>>>>>> real hostname or real IP address.
> >>>>>>>>>
> >>>>>>>>> In your config, remove the localhost setting from the <address>
> >>>>>>>>> parameter, and this will tell the server to open up a listener
> >> on
> >>>>>>>>> all interfaces for your system. You'll then be able to access
> >> it
> >>>>>>>>> using your real hostname, and from other machines.
> >>>>>>>>>
> >>>>>>>>> Hope this makes sense.
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
> >>
> >
>
>