Hi,
I've just setup the FileZilla FTP Server on one of our webservers. Its responsiblity is to receive files from our clients and pass it on for processing.
We are using the server both in clear text and with SSL for various different scenarios.
For a while the SSL never could establish a secure data chanel. We opened up ports 50k - 50k+20 on the filewall, and now SSL works in passive mode.
So here is the issue.
When connecting to the server in plain text passive mode doesn't work, but active mode does. When connecting to the server with SSL passive mode works, but active mode doesn't.
What is different about the server's dataconnections when AUTH TSL is used to make this happen?
Examples:
Here is the client log when connecting unsecured:
<the client is already authenticated before here>
[17:56:40] CLNT SmartFTP 2.5.1006
[17:56:40] 200 Don't care
[17:56:40] OPTS UTF8 ON
[17:56:40] 200 UTF8 mode enabled
[17:56:40] PWD
[17:56:40] 257 "/" is current directory.
[17:56:43] TYPE A
[17:56:43] 200 Type set to A
[17:56:43] PASV
<the client freezes up here>
Here is what the server sees for the above
(000492) 10/18/2007 17:54:04 PM - <uName> (<Client IP>)> CLNT SmartFTP 2.5.1006
(000492) 10/18/2007 17:54:04 PM - <uName> (<Client IP>)> 200 Don't care
(000492) 10/18/2007 17:54:05 PM - <uName> (<Client IP>)> OPTS UTF8 ON
(000492) 10/18/2007 17:54:05 PM - <uName> (<Client IP>)> 200 UTF8 mode enabled
(000492) 10/18/2007 17:54:05 PM - <uName> (<Client IP>)>PWD
(000492) 10/18/2007 17:54:05 PM - <uName> (<Client IP>)> 257 "/" is current directory.
(000492) 10/18/2007 17:54:08 PM - <uName> (<Client IP>)> TYPE A
(000492) 10/18/2007 17:54:08 PM - <uName> (<Client IP>)> 200 Type set to A
(000492) 10/18/2007 17:54:08 PM - <uName> (<Client IP>)> PASV
(000492) 10/18/2007 17:54:08 PM - <uName> (<Client IP>)> 227 Entering Passive Mode (<Server IP>,195,99)
(000492) 10/18/2007 17:54:08 PM - <uName>(<Client IP>)> disconnected.
As you can see the server disconnects the client just after accepting the passive comment
In secure mode this is what the client sees:
[18:16:46] TYPE A
[18:16:47] 200 Type set to A
[18:16:47] PROT P
[18:16:47] 200 Protection level set to P
[18:16:47] Connecting to IP Repeater "http://repeater.smartftp.com/" ...
[18:16:47] IP Repeater returned: "<ClientIP>"
[18:16:47] PORT <ClientIP>8,48
[18:16:47] 200 Port command successful
[18:16:47] MLSD
[18:16:48] 150 Opening data channel for directory list.
[18:16:58] 425 Can't open data connection.
After this the client has autofailover to Pasv and the data connection is established.
Here is what the server sees:
(000495) 10/18/2007 18:14:11 PM - <uName & IP> >TYPE A
(000495) 10/18/2007 18:14:11 PM - <uName & IP> > 200 Type set to A
(000495) 10/18/2007 18:14:11 PM - <uName & IP> > PROT P
(000495) 10/18/2007 18:14:11 PM - <uName & IP> > 200 Protection level set to P
(000495) 10/18/2007 18:14:11 PM - <uName & IP> >PORT <ClientIP>,8,48
(000495) 10/18/2007 18:14:11 PM - <uName & IP> > 200 Port command successful
(000495) 10/18/2007 18:14:12 PM -<uName & IP> > MLSD
(000495) 10/18/2007 18:14:12 PM - <uName & IP> > 150 Opening data channel for directory list.
(000495) 10/18/2007 18:14:22 PM - <uName & IP> > 425 Can't open data connection.
Any help with this would be greatly apprechiated.
Thanks!
Pasv in clear Port with SSL
Moderator: Project members
-
Blu_Fire739
- 500 Command not understood
- Posts: 3
- Joined: 2007-10-18 23:04
-
Blu_Fire739
- 500 Command not understood
- Posts: 3
- Joined: 2007-10-18 23:04
That is almost infuryating,
Its seems like this is the only thing you post to other people's questions.
I've looked at the network config many times.
Doesn't not make any sence why pasv only work in SSL and port only work in the clear?
Network config doesn't say anything about the differences between secure and non-secure!
Please can any help?
Its seems like this is the only thing you post to other people's questions.
I've looked at the network config many times.
Doesn't not make any sence why pasv only work in SSL and port only work in the clear?
Network config doesn't say anything about the differences between secure and non-secure!
Please can any help?
It's perfectly clear why it doesn't work: Broken router and/or firewall. The instructions provided in the Wiki are the essence of my knowledge.
I cannot possibly dumb it down anymore, but if you cannot understand these simple instructions you might want to read a couple of books on how things works.
But in active mode (see the previously linked wiki page for the difference), the client's router and/or firewall comes into play. And that one appears to work differently and again sabotages the connection.
By the way: Why do you use routers and/or firewalls if you don't understand how they work and how to configure them properly? It's like people driving a car without a driver's license.
I cannot possibly dumb it down anymore, but if you cannot understand these simple instructions you might want to read a couple of books on how things works.
Simple: In passive mode, your router and/or firewall tampers with the connection and makes it fails. However if you enable encryption, your router/firewall no longer understands the protocol and just passes the traffic through.When connecting to the server in plain text passive mode doesn't work, but active mode does. When connecting to the server with SSL passive mode works, but active mode doesn't.
What is different about the server's dataconnections when AUTH TSL is used to make this happen?
But in active mode (see the previously linked wiki page for the difference), the client's router and/or firewall comes into play. And that one appears to work differently and again sabotages the connection.
By the way: Why do you use routers and/or firewalls if you don't understand how they work and how to configure them properly? It's like people driving a car without a driver's license.
-
Blu_Fire739
- 500 Command not understood
- Posts: 3
- Joined: 2007-10-18 23:04
I think I found most of what I'm looking for.
A very nice post was put out here about cicso ASA fileswalls by KnightHawk, Thanks.
http://filezilla.sourceforge.net/forum/ ... php?t=3966
Apparently even though the correct IP was being sent to the client, the firewall desides it wants to change things around, and it messess everyone up. This was a non-effect in Secure mode because the firewall can't peek into secure packets. The solution that KnightHawk provided was to set the IP settings for passive mode to "Default".
In order to get this working in secure mode FileZilla must support the CCC or "Clear Command Chanel" command, which it doesn't. This means your either stuck with having passive mode working in un-secure mode or secure mode, but not both.
The Router/Firewall isn't *broken*, its doing what it is suppose to, just FileZilla doesn't expect the router/firewall to do this. So FileZilla breaks.
Any ideas on when FileZilla will support the CCC command?
botg: Don't be so quick to assume that everyone that deals with FileZilla is an expert on networking equipment. Most people work for companes that are larger enought to have seperate people as network admins, programers, desktop support ect... My network admin is busy doing other things, thats why I ask the questions here so I don't have to bother him.
I should be going to him with solutions not problems.
A very nice post was put out here about cicso ASA fileswalls by KnightHawk, Thanks.
http://filezilla.sourceforge.net/forum/ ... php?t=3966
Apparently even though the correct IP was being sent to the client, the firewall desides it wants to change things around, and it messess everyone up. This was a non-effect in Secure mode because the firewall can't peek into secure packets. The solution that KnightHawk provided was to set the IP settings for passive mode to "Default".
In order to get this working in secure mode FileZilla must support the CCC or "Clear Command Chanel" command, which it doesn't. This means your either stuck with having passive mode working in un-secure mode or secure mode, but not both.
The Router/Firewall isn't *broken*, its doing what it is suppose to, just FileZilla doesn't expect the router/firewall to do this. So FileZilla breaks.
Any ideas on when FileZilla will support the CCC command?
botg: Don't be so quick to assume that everyone that deals with FileZilla is an expert on networking equipment. Most people work for companes that are larger enought to have seperate people as network admins, programers, desktop support ect... My network admin is busy doing other things, thats why I ask the questions here so I don't have to bother him.
I should be going to him with solutions not problems.
And that's the problem, these bad settings are often enabled by default. But unless the administrator explicitly enables them, the router has absolutely no right to modify the data. Everything else is sabotage.Apparently even though the correct IP was being sent to the client, the firewall desides it wants to change things around, and it messess everyone up. This was a non-effect in Secure mode because the firewall can't peek into secure packets. The solution that KnightHawk provided was to set the IP settings for passive mode to "Default".
Never. What's the point in having a secured logon when a malicious user can then just hijack the connection after the CCC command?Blu_Fire739 wrote:Any ideas on when FileZilla will support the CCC command?