Hi,
I have a problem with FileZilla Server 0.8.9
As client I'm using the BSD ftp from a standard Debian GNU/Linux install.
The client I try to connect from sits behind a firewall. The Firewall is configured to drop packets on unprivileged ports with the SYN flag set.
When I try to open a passive data connection the FileZilla Server tries to build a new connection, which gets blocked because the SYN flag is set.
192.168.1.1 being the FileZilla server and 192.168.2.2 being the client
Jun 2 13:31:31 host kernel: Packet log: input DENY eth1 PROTO=6 192.168.1.1:63672 192.168.2.2:15925 L=48 S=0x00 I=559 F=0x4000 T=116 SYN (#192)
I wonder why the server sends a SYN Packet while an ACK on the Client packet should suffice?
From the Server log
> 215 UNIX emulated by FileZilla
> FEAT
> 500 Syntax error, command unrecognized.
> PWD
> 257 "/" is current directory.
> EPSV
> 229 Entering Extended Passive Mode (|||3804|)
> EPRT |1|192.168.2.2|15920|
> 200 Port command successful
> LIST
> 150 Opening data channel for directory list.
> ABOR
> 500 Syntax error, command unrecognized.
> 425 Can't open data connection.
> EPRT |1|192.168.2.2|15925|
> 200 Port command successful
> LIST
> 150 Opening data channel for directory list.
> ABOR
> 500 Syntax error, command unrecognized.
> 425 Can't open data connection.
> QUIT
> 221 Goodbye
> disconnected.
The server isn't administrated by me so I don't know nothing about the settings on the server side, but I'd be glad to provide more Information if someone can tell me what the interesting configuration Parameters are.
TIA
marc
Problem with FileZilla Server and EPSV
Moderator: Project members
[quote]
When I try to open a passive data connection the FileZilla Server tries to build a new connection, which gets blocked because the SYN flag is set.
[quote]
Actually the last command in the log before LIST is EPRT, so the client wants to create an active mode transfer.
As a result the server has to connect to the port specified by the client. While FZ does not use raw sockets, the underlying tcp/ip stack then sends a SYN packet. The client should then reply by SYN/ACK, and the server should reply with ACK.
My guess is, that your client can't parse the IP-less EPSV command reply (which is valid according to RFC 2428).
When I try to open a passive data connection the FileZilla Server tries to build a new connection, which gets blocked because the SYN flag is set.
[quote]
Actually the last command in the log before LIST is EPRT, so the client wants to create an active mode transfer.
As a result the server has to connect to the port specified by the client. While FZ does not use raw sockets, the underlying tcp/ip stack then sends a SYN packet. The client should then reply by SYN/ACK, and the server should reply with ACK.
My guess is, that your client can't parse the IP-less EPSV command reply (which is valid according to RFC 2428).
First of all thanks for your reply.
[quote]
Actually the last command in the log before LIST is EPRT, so the client wants to create an active mode transfer.
[quote]
True, I've overlooked this, the question for me is now why does he fallback to active mode.
I have sniffed the traffic with tcpdump, and I can see that the Filezilla Server sends a ZeroWindow RST,ACK.
1. The client sends the EPSV Request,
2. the server answers with 229 Entering Extended Passive Mode (|||3804|)
3. the client sends a SYN to the Server on 3804
4. the client sends an ACK to (2.) the "Entering Extended Passive Mode" packet
5. the server answers with a ZeroWindow RST/ACK to the (3.) SYN packet.
6. client falls back to active mode
I've tried to connect to other Servers with passive mode and have no problems with it.
1-4 are the same but instead of 5 the server sends a SYN/ACK and the client answers with ACK.
I can upload the tcpdump to my webserver if you want to take a look at it.
[quote]
My guess is, that your client can't parse the IP-less EPSV command reply (which is valid according to RFC 2428).
[quote]
I don't think the problem lies in there, I have no problems with an IP-less EPSV answer from another server, and tried different ftp client programs lftp, gftp lukemftp (all of them were unix clients though)
Could it be a configuration issue on the server side? Something like force active mode?
thanks again for your help
[quote]
Actually the last command in the log before LIST is EPRT, so the client wants to create an active mode transfer.
[quote]
True, I've overlooked this, the question for me is now why does he fallback to active mode.
I have sniffed the traffic with tcpdump, and I can see that the Filezilla Server sends a ZeroWindow RST,ACK.
1. The client sends the EPSV Request,
2. the server answers with 229 Entering Extended Passive Mode (|||3804|)
3. the client sends a SYN to the Server on 3804
4. the client sends an ACK to (2.) the "Entering Extended Passive Mode" packet
5. the server answers with a ZeroWindow RST/ACK to the (3.) SYN packet.
6. client falls back to active mode
I've tried to connect to other Servers with passive mode and have no problems with it.
1-4 are the same but instead of 5 the server sends a SYN/ACK and the client answers with ACK.
I can upload the tcpdump to my webserver if you want to take a look at it.
[quote]
My guess is, that your client can't parse the IP-less EPSV command reply (which is valid according to RFC 2428).
[quote]
I don't think the problem lies in there, I have no problems with an IP-less EPSV answer from another server, and tried different ftp client programs lftp, gftp lukemftp (all of them were unix clients though)
Could it be a configuration issue on the server side? Something like force active mode?
thanks again for your help
Pretty late reply I know, so just for the records:
(I hate that :)
The Problem is resolved and I want to thank you again for your fast help.
marc
there was a linux firewall in front of the FTP Server which NATed the connections to/from the Windows machine which is running the Filezilla Server. Noone told me about that machine, so I searched in the wrong place.Now that's strange. What Windows version (+service packs) are you running FZ Server on?
Also, are there any active firewalls on the Windows machine?
(I hate that :)
The Problem is resolved and I want to thank you again for your fast help.
marc