Server ignores passive port range

[Cyspoz]

I get the impression that the FileZilla server is ignoring the configured passive port range. If I test with https://ftptest.net/ I see this in the results:

Code: Select all

Reply: 227 Entering Passive Mode (*,*,*,*,241,240))

The port range is configured to be 10000-11024 and that is also the range that is forwarded on the NAT router. The external ip address is correctly configured on the FileZilla Server.

[Cyspoz]

Just discovered that the above is not completely correct. The website reports the following:

Code: Select all

Status: Resolving address of *.*.*.*
Status: Connecting to *.*.*.*
Status: Connected, waiting for welcome message
Reply: 220-Welcome to the **************
Reply: 220 Server.
Command: CLNT https://ftptest.net/ on behalf of *.*.*.*
Reply: 200 Don't care
Command: USER Test
Reply: 331 Password required for test
Command: PASS Test
Reply: 230 Logged on
Command: FEAT
Reply: 211-Features:
Reply: MDTM
Reply: REST STREAM
Reply: SIZE
Reply: MODE Z
Reply: MLST type*;size*;modify*;
Reply: MLSD
Reply: UTF8
Reply: CLNT
Reply: MFMT
Reply: 211 End
Command: PWD
Reply: 257 "/" is current directory.
Status: Current path is /
Command: TYPE I
Reply: 200 Type set to I
Command: PASV
Reply: 227 Entering Passive Mode (*,*,*,*,237,220))
Command: MLSD
Error: Failed to establish data connection: Connection refused

While the server log shows this for the very same connection:

Code: Select all

(000005) 26-6-2009 14:55:55 - (not logged in) (62.75.138.232)> Connected, sending welcome message...
(000005) 26-6-2009 14:55:55 - (not logged in) (62.75.138.232)> 220-Welcome to the ************
(000005) 26-6-2009 14:55:55 - (not logged in) (62.75.138.232)> 220 Server.
(000005) 26-6-2009 14:55:55 - (not logged in) (62.75.138.232)> CLNT https://ftptest.net/ on behalf of *.*.*.*
(000005) 26-6-2009 14:55:55 - (not logged in) (62.75.138.232)> 200 Don't care
(000005) 26-6-2009 14:55:55 - (not logged in) (62.75.138.232)> USER Test
(000005) 26-6-2009 14:55:55 - (not logged in) (62.75.138.232)> 331 Password required for test
(000005) 26-6-2009 14:55:55 - (not logged in) (62.75.138.232)> PASS ****
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)> 230 Logged on
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)> FEAT
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)> 211-Features:
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)>  MDTM
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)>  REST STREAM
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)>  SIZE
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)>  MODE Z
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)>  MLST type*;size*;modify*;
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)>  MLSD
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)>  UTF8
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)>  CLNT
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)>  MFMT
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)> 211 End
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)> PWD
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)> 257 "/" is current directory.
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)> TYPE I
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)> 200 Type set to I
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)> PASV
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)> 227 Entering Passive Mode (*,*,*,*,39,19)
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)> MLSD
(000005) 26-6-2009 14:55:55 - test (62.75.138.232)> disconnected.

Does this mean that my router is modifying the data?

[botg]

Does this mean that my router is modifying the data?

Possibly, can also be your firewall.

[bifter]

I've got exactly the same issue and am similarly baffled. My FTP server is working fine and seems to be notifying a port within the specified port range (50000-50099), e.g. the log shows...

227 Entering Passive Mode (*,*,*,*,195,98)

...which is port 50018 and is within the port range but that doesn't match the port that the web site appears to be reporting.

227 Entering Passive Mode (*,*,*,*,232,220)

...which equals 59612 and is outside of the port range. I don't understand it myself so that's no use to you but at least you're not alone!

I had thought that it might be my ISP doing the translations, once the packets had left my router. I reasoned that if I stopped forwarding the port range in my router and FTP stopped working this would confirm it, however FTP has continued to work. I've also found that I don't need to forward any ports in my Windows firewall!!!

My set up is as follows:

FTP server runs on a PC, which is connected to a second PC via a crossover cable. The second PC has a wireless NIC, which connects to a wireless router, which is connected by ethernet to a cable modem. I use a network bridge to allow the FTP server to connect to the Net. On the second PC I have configured Windows Firewall (Advanced/Services) to channel FTP Server traffic to the FTP Server. As stated, I don't have any open ports within the specified range open on my router, nor have I any of those ports specified as exceptions in the firewall on either PC (switching off either or both firewalls doesn't impede FTP). In addition I found that I don't have to specify my external IP in the PASV settings in Filezilla, in fact if I do FTP stops working! Do I just have a very clever router or is it my ISP?

...I'm not complaining but how the hell can it possibly be working?

[boco]

Do I just have a very clever router

No you have a dumb router/firewall that is modifying FTP traffic without your consent. This *MAY* work for plain, unencrypted FTP (many people have problems with it), but it leaves the user totally in the dark.

A simple test: Change the listening port from 21 to, say, 2121. Then try the tester again. As most routers only modify FTP traffic on port 21, it should now behave different.
If you can, enable FTPES and try an SSL Explicit connection with this tester: http://g6ftpserver.com/ftptest . A router/firewall cannot modify encrypted traffic.

Malicious hardware is explained in Network Configuration.

[bifter]

Magic, thanks for your reply. Obviously I had to configure a couple of settings but, when I got the connection up and running, the web site then tried to use the actual port specified. Of course, without punching all the port range holes in the router, the LIST failed but at least this proves that the router is the culprit.

I appreciate what you are saying about this behaviour, there is nothing in the literature that came with the router to suggest that it will do this, which isn't helpful. However, if the firewalls and router can handle all the port forwarding and it works for anonymous ftping that suits me, it will probably only be used occasionally. I've set one folder to read only and one as write only as a precaution against tampering.

Thanks again for helping me isolate this!

[Cyspoz]

Just changed my server port from 21 to 1021 and all problems are solved. A shame that those routers have this behaviour and that there is no way to disable it.

By the way, I suggest to add this FTP Test website http://g6ftpserver.com/ftptest to the FAQ. https://ftptest.net/ only supports regular FTP traffic while this one also supports SFTP.

[boco]

https://ftptest.net/ only supports regular FTP traffic

...at the moment. I'm pretty sure it will support SSL in the future.