I'm running v0.9.20b. I can get connections to my server using PORT (Active) and EPSV (Extended passive), but not PASV (passive). I have a firewall and a router that have ports forwarded. I've tested connections using a couple of web ftp test sites (http://www.g6ftpserver.com/en/ftptest and http://www.web2ftp.com). The gene6 site allows you to test pasv and epsv connections. The epsv test works fine, but I can't connect using pasv. All PORT connections work fine.
I'm having the same trouble if a client using windows explorer or IE tries to connect in passive mode - they can't connect - it just hangs a bit and times out, but when passive mode is disabled, they can connect. I'd like to be able to use passive mode - could any one help me out?
I'm thinking that it has something to do with the ports that are open for PASV. I don't think the pasv client is negotiating for one of the ports I've specified in my passive port range (though EPSV seems to do it fine). Do I need to open a separate set of "standard" PASV ports on my router and firewall, and deselect the custom port range on filezilla? If I do, what are they?
Logs EPSV this seems to work fine:
(000005) 12/13/2006 15:35:59 PM - (not logged in) (87.98.200.117)> Connected, sending welcome message...
(000005) 12/13/2006 15:35:59 PM - (not logged in) (87.98.200.117)> 220-FileZilla Server version 0.9.20 beta
(000005) 12/13/2006 15:35:59 PM - (not logged in) (87.98.200.117)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000005) 12/13/2006 15:35:59 PM - (not logged in) (87.98.200.117)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000005) 12/13/2006 15:36:00 PM - (not logged in) (87.98.200.117)> USER delme
(000005) 12/13/2006 15:36:00 PM - (not logged in) (87.98.200.117)> 331 Password required for delme
(000005) 12/13/2006 15:36:00 PM - (not logged in) (87.98.200.117)> PASS *****
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> 230 Logged on
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> PWD
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> 257 "/" is current directory.
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> CLNT Testing from http://www.g6ftpserver.com/ftptest from IP xxx.xxx.xxx.xxx
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> 200 Don't care
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> FEAT
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> 211-Features:
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> MDTM
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> REST STREAM
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> SIZE
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> MLST type*;size*;modify*;
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> MLSD
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> UTF8
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> CLNT
(000005) 12/13/2006 15:36:00 PM - delme (87.98.200.117)> 211 End
(000005) 12/13/2006 15:36:01 PM - delme (87.98.200.117)> EPSV
(000005) 12/13/2006 15:36:01 PM - delme (87.98.200.117)> 229 Entering Extended Passive Mode (|||5752|)
(000005) 12/13/2006 15:36:01 PM - delme (87.98.200.117)> TYPE A
(000005) 12/13/2006 15:36:01 PM - delme (87.98.200.117)> 200 Type set to A
(000005) 12/13/2006 15:36:01 PM - delme (87.98.200.117)> LIST
(000005) 12/13/2006 15:36:01 PM - delme (87.98.200.117)> 150 Connection accepted
(000005) 12/13/2006 15:36:01 PM - delme (87.98.200.117)> 226 Transfer OK
(000005) 12/13/2006 15:36:02 PM - delme (87.98.200.117)> QUIT
(000005) 12/13/2006 15:36:02 PM - delme (87.98.200.117)> 221 Goodbye
(000005) 12/13/2006 15:36:02 PM - delme (87.98.200.117)> disconnected.
For the PASV mode connection, the connection never makes it (when using windows explorer or IE with passive enabled, I get essentially the same error - log file looks the same):
(000006) 12/13/2006 15:36:23 PM - (not logged in) (87.98.200.117)> Connected, sending welcome message...
(000006) 12/13/2006 15:36:23 PM - (not logged in) (87.98.200.117)> 220-FileZilla Server version 0.9.20 beta
(000006) 12/13/2006 15:36:23 PM - (not logged in) (87.98.200.117)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000006) 12/13/2006 15:36:23 PM - (not logged in) (87.98.200.117)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000006) 12/13/2006 15:36:23 PM - (not logged in) (87.98.200.117)> USER delme
(000006) 12/13/2006 15:36:23 PM - (not logged in) (87.98.200.117)> 331 Password required for delme
(000006) 12/13/2006 15:36:23 PM - (not logged in) (87.98.200.117)> PASS *****
(000006) 12/13/2006 15:36:23 PM - delme (87.98.200.117)> 230 Logged on
(000006) 12/13/2006 15:36:23 PM - delme (87.98.200.117)> PWD
(000006) 12/13/2006 15:36:23 PM - delme (87.98.200.117)> 257 "/" is current directory.
(000006) 12/13/2006 15:36:23 PM - delme (87.98.200.117)> CLNT Testing from http://www.g6ftpserver.com/ftptest from IP xxx.xxx.xxx.xxx
(000006) 12/13/2006 15:36:23 PM - delme (87.98.200.117)> 200 Don't care
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> FEAT
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> 211-Features:
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> MDTM
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> REST STREAM
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> SIZE
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> MLST type*;size*;modify*;
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> MLSD
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> UTF8
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> CLNT
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> 211 End
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> PASV
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> 227 Entering Passive Mode (xx,xx,xxx,xxx,22,119)
(000006) 12/13/2006 15:37:33 PM - delme (87.98.200.117)> disconnected.
PORT Log:
(000007) 12/13/2006 15:51:36 PM - (not logged in) (212.227.81.10)> Connected, sending welcome message...
(000007) 12/13/2006 15:51:36 PM - (not logged in) (212.227.81.10)> 220-FileZilla Server version 0.9.20 beta
(000007) 12/13/2006 15:51:36 PM - (not logged in) (212.227.81.10)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000007) 12/13/2006 15:51:36 PM - (not logged in) (212.227.81.10)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000007) 12/13/2006 15:51:37 PM - (not logged in) (212.227.81.10)> user delme
(000007) 12/13/2006 15:51:37 PM - (not logged in) (212.227.81.10)> 331 Password required for delme
(000007) 12/13/2006 15:51:37 PM - (not logged in) (212.227.81.10)> PASS *****
(000007) 12/13/2006 15:51:37 PM - delme (212.227.81.10)> 230 Logged on
(000007) 12/13/2006 15:51:37 PM - delme (212.227.81.10)> PORT 212,227,81,10,232,119
(000007) 12/13/2006 15:51:37 PM - delme (212.227.81.10)> 200 Port command successful
(000007) 12/13/2006 15:51:37 PM - delme (212.227.81.10)> LIST -a
(000007) 12/13/2006 15:51:37 PM - delme (212.227.81.10)> 150 Opening data channel for directory list.
(000007) 12/13/2006 15:51:38 PM - delme (212.227.81.10)> 226 Transfer OK
(000007) 12/13/2006 15:51:38 PM - delme (212.227.81.10)> PWD
(000007) 12/13/2006 15:51:38 PM - delme (212.227.81.10)> 257 "/" is current directory.
(000007) 12/13/2006 15:51:38 PM - delme (212.227.81.10)> QUIT
(000007) 12/13/2006 15:51:38 PM - delme (212.227.81.10)> 221 Goodbye
(000007) 12/13/2006 15:51:38 PM - delme (212.227.81.10)> disconnected.
Thanks for any help.
Chris
PASV not working, EPSV and PORT do? Newb
Moderator: Project members
Then why does EPSV (extended passive) work? It's grabbing one of the ports I've specified under FileZilla's "Passive Mode Settings" and connecting to the server.
I'm not claiming to be an expert, but if it were a firewall/router issue, wouldn't EPSV fail as well? If EPSV can open one of the passive ports (in the range 5750 - 6000, see the log file lines below), why wouldn't PASV be able to do the same thing?
Line from the EPSV log:
(000005) 12/13/2006 15:36:01 PM - delme (87.98.200.117)> EPSV
(000005) 12/13/2006 15:36:01 PM - delme (87.98.200.117)> 229 Entering Extended Passive Mode (|||5752|)
Line from the PASV log:
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> PASV
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> 227 Entering Passive Mode (xx,xx,xxx,xxx,22,119)
I know the xx's are the server's IP address, but what exactly are the 22,119? Are those ports 22 and 119, or port 22119?
Do these need to be opened or do I need to open some range of ports that include this/these for passive mode to work?
I'm not claiming to be an expert, but if it were a firewall/router issue, wouldn't EPSV fail as well? If EPSV can open one of the passive ports (in the range 5750 - 6000, see the log file lines below), why wouldn't PASV be able to do the same thing?
Line from the EPSV log:
(000005) 12/13/2006 15:36:01 PM - delme (87.98.200.117)> EPSV
(000005) 12/13/2006 15:36:01 PM - delme (87.98.200.117)> 229 Entering Extended Passive Mode (|||5752|)
Line from the PASV log:
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> PASV
(000006) 12/13/2006 15:36:24 PM - delme (87.98.200.117)> 227 Entering Passive Mode (xx,xx,xxx,xxx,22,119)
I know the xx's are the server's IP address, but what exactly are the 22,119? Are those ports 22 and 119, or port 22119?
Do these need to be opened or do I need to open some range of ports that include this/these for passive mode to work?
Thanks a lot for the help on that.
5751 looks right. By the way, what's the formula there, convert to hex and concatinate? 5751 is in my defined range. I can't figure out why PASV won't connect, especially if EPSV will. Any help would be appreciated. Is there something tricky with EPSV that makes it play a little nicer with Firewalls and Routers?
Chris
5751 looks right. By the way, what's the formula there, convert to hex and concatinate? 5751 is in my defined range. I can't figure out why PASV won't connect, especially if EPSV will. Any help would be appreciated. Is there something tricky with EPSV that makes it play a little nicer with Firewalls and Routers?
Chris
-
danopia
- 226 Transfer OK
- Posts: 70
- Joined: 2006-09-09 15:27
- Location: POSTS_TABLE Posts: 9999999999999 Smart: Of course! ;)
Your router might not know about EPSV.I use Windows calculator.
Pretty much.By the way, what's the formula there, convert to hex and concatenate?
Code: Select all
22, 119 -> 16, 77 -> 1677 -> 5751If all else fails, read the instructions.
-
samuraibrian
- 504 Command not implemented
- Posts: 8
- Joined: 2006-11-23 14:29
Ok, I didn't think I necessarily needed to get into this part of it, but here it goes. I have a netgear wpn824 router (I realize that that may be my problem).
Ports forwarded on Router and through Firewall (all are TCP, no UDP):
20-21 -> for standard FTP
5750-6000 -> for passive ports
It doesn't matter if I turn on or off my firewall (Windows), so that isn't the problem (probably).
One other question, how would the router "know" about PASV or EPSV? It has a SPI firewall on it, but I don't think turning that on and off makes any difference (I really don't know what it does exactly, but I've tried turning it on and off).
Thanks again for any help.
Ports forwarded on Router and through Firewall (all are TCP, no UDP):
20-21 -> for standard FTP
5750-6000 -> for passive ports
It doesn't matter if I turn on or off my firewall (Windows), so that isn't the problem (probably).
One other question, how would the router "know" about PASV or EPSV? It has a SPI firewall on it, but I don't think turning that on and off makes any difference (I really don't know what it does exactly, but I've tried turning it on and off).
Thanks again for any help.
-
danopia
- 226 Transfer OK
- Posts: 70
- Joined: 2006-09-09 15:27
- Location: POSTS_TABLE Posts: 9999999999999 Smart: Of course! ;)
Your router thinks that it is sooo smart and is opening up your packets to tweak the data to match your NAT (port forwarding) settings. NAT truly has nothing to do with the data of packets, and, quite frankly, my router's NAT only redirects the packets. Here's a comparison: Do you want your post office to just send you your mail (regular NAT), or also open your mail up and change it around (bad NAT, like what you have)?
If all else fails, read the instructions.
Hmm...I thought I already posted the resolution here.
Anyways, I got it. It was my DSL modem (Westell 2100 - piece of crap). Port forwarding was broken just like you had said. I had it set up to forward the ports through to my router (which then forwarded again to the server - I know, bad idea jeans, but I thought double bagging would be a little more secure). I took the router out of the loop, and couldn't get it to work until the server was sitting right on the internet. Port forward wouldn't work (for PASV), nor would static NAT, the only thing that worked was IP Passthrough. I put my router back in (forwarding ftp and passive ports to the server) and it still worked.
One other odd thing, since the server's IP address is not the same as the external IP address, I thougth I needed to specify the address in the Filezilla passive setup ("use this address"), but I didn't need to do that, in fact, it would stop working if I didn't have "default" selected. The explanation on that setup page is a little misleading I think.
Thanks a ton danopia. You helped out a lot. I hope this helps someone else out as well.
Chris
Anyways, I got it. It was my DSL modem (Westell 2100 - piece of crap). Port forwarding was broken just like you had said. I had it set up to forward the ports through to my router (which then forwarded again to the server - I know, bad idea jeans, but I thought double bagging would be a little more secure). I took the router out of the loop, and couldn't get it to work until the server was sitting right on the internet. Port forward wouldn't work (for PASV), nor would static NAT, the only thing that worked was IP Passthrough. I put my router back in (forwarding ftp and passive ports to the server) and it still worked.
One other odd thing, since the server's IP address is not the same as the external IP address, I thougth I needed to specify the address in the Filezilla passive setup ("use this address"), but I didn't need to do that, in fact, it would stop working if I didn't have "default" selected. The explanation on that setup page is a little misleading I think.
Thanks a ton danopia. You helped out a lot. I hope this helps someone else out as well.
Chris
That's a strong indication for a broken router doing procotol inspection and malicious data modification.chrismac wrote:One other odd thing, since the server's IP address is not the same as the external IP address, I thougth I needed to specify the address in the Filezilla passive setup ("use this address"), but I didn't need to do that, in fact, it would stop working if I didn't have "default" selected. The explanation on that setup page is a little misleading I think.