MLSD disconnects from remote site

[spindler]

I have recently set up ftp access to my server and I have been able to make a connection from within the office environment using a DIR-655 wireless router. Everything works fine.

My server requires that I use active mode and the external address. http://ip.filezilla-project.org/ip.php in order to make the connection within the office network.

I am now continuing to test my FTP access by using a public access point at a coffee shop. I cannot log in and I am not sure where the issue might be. I am thinking there are three possibilities.

1. An issue with the coffee shop router....which I cannot change.
2. An issue with filezilla version 3.3.5.1
3. Or an issue with the DIR-655 at the office. ports 20 and 21 point to my server.

The Filezilla error log looks like this:

Status: Connecting to 100.240.189.141:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 1 of 50 allowed.
Response: 220-Local time is now 09:42. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: USER XXXX
Response: 331 User XXXX OK. Password required
Command: PASS **********
Response: 230-User XXXX has group access to: XXXX fuse plugdev
Response: 230- video dip tape floppy cdrom fax
Response: 230- dialout adm
Response: 230 OK. Current directory is /home/XXXX
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Extensions supported:
Response: EPRT
Response: IDLE
Response: MDTM
Response: SIZE
Response: REST STREAM
Response: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response: MLSD
Response: AUTH TLS
Response: PBSZ
Response: PROT
Response: UTF8
Response: TVFS
Response: ESTA
Response: PASV
Response: EPSV
Response: SPSV
Response: ESTP
Response: 211 End.
Command: OPTS UTF8 ON
Response: 200 OK, UTF-8 enabled
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/home/XXXX" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PORT 216,126,105,132,195,115
Response: 200 PORT command successful
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing

WHEN I GO TO A SECOND COFFEE SHOP I GET A LITTLE MORE INFORMATION.

Response: 200 TYPE is now 8-bit binary
Command: PORT 199,247,233,28,196,168
Response: 200 PORT command successful
Command: MLSD
Response: 425 Could not open data connection to port 50344: Connection refused
Error: Failed to retrieve directory listing


Quesitions:

1. I do not have any of the following ports open as listed above in the 5th last line --> " Command: PORT 216,126,105,132,195,115" or Command: PORT 199,247,233,28,196,168 Is this important?

2. What could the issue be? I am not sure why it stopped at MLSD. I do not see this within the office network.

Thanks Spindler

[botg]

Any particular reason you're using active mode? Try switching to passive mode, it's generally more firewall friendly, especially if using FTP in public networks which are universally ill-configured.

[boco]

That would probably be fruitless. There are no data ports forwarded at the office so the problem is the same. FTP NAT to NAT doesn't work without forwarded data ports on at least one of the two sides.

[spindler]

I have ports 80, 20 and 21 forward on my DIR-655 router to point to my webserver. I also have ports 12000 -12100 open as pasvport so the server can communicate back to filezilla.

[boco]

You have Passive ports forwarded on the Office router. As the name implies, Passive ports are for Passive mode. For Active mode the data ports must be forwarded at the client side.

So, from the remote locations outside the office, do you use Passive mode as required?

[spindler]

I used the "network configuration wizard of FileZilla and set up the following parameters.

Default transfer mode: Passive... fall back to active mode.
Get external IP address from URL: http://ip.filezilla-project.org/ip.php
Use the following port range : 12000 - 12100
Then I test the connection...... and get the following.

Connecting to probe.filezilla-project.org
Response: 220 FZ router and firewall tester ready
USER FileZilla
Response: 331 Give any password.
PASS 3.4.0
Response: 230 logged on.
Checking for correct external IP address
Retrieving external IP address from http://ip.filezilla-project.org/ip.php
Checking for correct external IP address
IP 199.247.233.28 bjj-ceh-cdd-ci
Response: 200 OK
PREP 12093
Response: 200 Using port 12093, data token 951953545
PORT 199,247,233,28,47,61
Response: 200 PORT command successful
LIST
Response: 150 opening data connection
Response: 503 Failure of data connection.
Server sent unexpected reply.
Connection closed

WHEN I CHANGE THE SETTING TO:

Default transfer mode: Passive... fallback to external IP address
Get external IP address from URL: http://ip.filezilla-project.org/ip.php
Use the following port range : 12000 - 12100
Then I test the connection...... and get the following.

Connecting to probe.filezilla-project.org
Response: 220 FZ router and firewall tester ready
USER FileZilla
Response: 331 Give any password.
PASS 3.4.0
Response: 230 logged on.
Checking for correct external IP address
Retrieving external IP address from http://ip.filezilla-project.org/ip.php
Checking for correct external IP address
IP 199.247.233.28 bjj-ceh-cdd-ci
Response: 200 OK
PREP 12097
Response: 200 Using port 12097, data token 35044428
PORT 199,247,233,28,47,65
Response: 200 PORT command successful
LIST
Response: 150 opening data connection
Response: 503 Failure of data connection.
Server sent unexpected reply.
Connection closed

The above test results have been taken while I sit at a coffee shop. When I use these settings within my Office they both work fine.

........
The below test was done from inside my office network.

Default transfer mode: Passive... fall back to active mode.
Get external IP address from URL: http://ip.filezilla-project.org/ip.php
Use the following port range : 12000 - 12100
Then I test the connection...... and get the following.


Connecting to probe.filezilla-project.org
Response: 220 FZ router and firewall tester ready
USER FileZilla
Response: 331 Give any password.
PASS 3.4.0
Response: 230 logged on.
Checking for correct external IP address
Retrieving external IP address from http://ip.filezilla-project.org/ip.php
Checking for correct external IP address
IP 199.247.183.140 bjj-ceh-bid-bea
Response: 200 OK
PREP 12100
Response: 200 Using port 12100, data token 1485249050
PORT 199,247,183,140,47,68
Response: 200 PORT command successful
LIST
Response: 150 opening data connection
Response: 200 Successful
QUIT
Response: 200 goodbye!
Connection closed

So as long as I stay within my well configured router everything is fine. Once I go outside and use someones else's system then things do not go well.

[boco]

The network test in FileZilla Client always tests Active mode only. That's because Active mode requires configuration on the client side. Passive mode does not require any client configuration and works out of the box. So ''Use the following port range'' in FileZilla Client is not relevant.

Passive mode requires correct server side configuration.
1. Passive TCP range forwarded - would be the 12000 -12100 range you used, that's 101 ports. Note that it's recommended to have your port range in the 49152-65535 region, e. g. 50000-50099.
2. FTP TCP listening port forwarded, that's port 21 in your case. Port 20 is a myth and not required.
3. All ports from 1. and 2. opened in every server-side firewall.
4. Passive port range must be entered as Custom port range into the server's Passive settings so it will be used in PASV replies.
5. The FTP server must know the server side's current external IP, either via the ''Retrieve'' or ''Use this IP'' options.
6. Any stateful inspection of FTP traffic (read: sabotage) must be disabled.

Normally I recommend to test your FTP server using https://ftptest.net/, but personally, I wouldn't trust the Coffee shop browsers sufficiently to do that (you have to enter your login data to test).

Network Configuration

[spindler]

I used the tool you pointed to and I found that my linux server does not have the external ip address. Here is the error.

Command: TYPE I

Reply: 200 TYPE is now 8-bit binary

Command: PASV

Reply: 227 Entering Passive Mode (192,168,1,185,82,112)

Error: Server returned unroutable private IP address in PASV reply


Do you know how to setup a Linux server to know its external IP address?

[botg]

The server's manpage should contain instructions.

[spindler]

Actually i found out that my router has a problem working with internal and external IP address. I am using the D-link DIR-655.

This problem is above the D-link phone technical support.

I read somewhere that I need to disable SPI and set the NAT endpoint to independent endpoint in the router. This did not solve the issue.

So I am now waiting for D-link level 3 support.

Does any know about the issues with the D-link Dir-655? Any idea how to set it up so it can do a simple FTP? Should be simple enough ftp has be around longer then the internet.

[spindler]

I think I found a work around.

Since I am using a linux server I can just go through a different port and access the server though ssh and winscp.


Thanks for all of your help. Without it I was lost.

[boco]

Should be simple enough ftp has be around longer then the internet.

Exactly that is the problem. FTP is much older than any firewall or security crap thrown at you today. The internet was a closed system then and demands were a lot different than today. FTP simply doesn't tolerate any data sabotage, it expects an unaltered traffic stream.

If you can live with having a non-default listening port, do that. Most routers only sabotage FTP traffic on port 21, but if you use another, say 2100, they leave you alone. Worth a try. In every case the FTP server needs to send the correct IP (external one for external connections, internal one for LAN connections).

Edit: SSH is encrypted, routers can't read it. And FileZilla can do SFTP, too.