This is driving me crazy...

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
txm1004
500 Command not understood
Posts: 5
Joined: 2013-01-30 10:53
First name: Thomas
Last name: M

This is driving me crazy...

#1 Post by txm1004 » 2020-04-02 21:14

I'm sure I'm just missing one little thing...as always. So hopefully someone much smarter than me can help.

I've set up FZ server without FTP over TLS support:
Image


When I now connect with the FZ client (with Encryption set to: Use explicit FTP over TLS if available) it works just fine. I connect to the server and then it retrieves the directory listing.
Image

The log shows this:
Status: Connecting to 123.456.xxx.yy:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Status: Directory listing of "/" successful


But when I change the FZ Server settings to Enable FTP over TLS support and change my FZ client setting to Encryption = Require explicit FTP over TLS I run into this problem...I connect to the server just fine but it fails to retrieve the directory listing.

Image


Image


The log shows this:

Status: Connecting to 123.456.xxx.yy:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (74,208,xxx,yyy,8,52)
Command: MLSD
Response: 425 Can't open data connection for transfer of "/"
Error: Failed to retrieve directory listing

I have no idea what I'm missing...help please!
Tom

User avatar
boco
Contributor
Posts: 25325
Joined: 2006-05-01 03:28
Location: Germany

Re: This is driving me crazy...

#2 Post by boco » 2020-04-02 22:19

First problem: Both 1.2.3.4.5.6 and 123.456.7.8 are invalid IPs and will not work. Please post such details either unmodified or not at all.

Second problem: Read and follow the Network Configuration Guide (Passive part). Looks like you did not forward/open all necessary ports.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

txm1004
500 Command not understood
Posts: 5
Joined: 2013-01-30 10:53
First name: Thomas
Last name: M

Re: This is driving me crazy...

#3 Post by txm1004 » 2020-04-03 08:13

Thanks, boco, for your reply.
Of course I am not going to post our real IP address here - that's why I used invalid IPs.

We have the Passive Mode settings turned on in FZ Server:
Image

And we also added FZ to the Windows Firewall:
Image

I must be missing something else or didn't set something up correctly...

User avatar
boco
Contributor
Posts: 25325
Joined: 2006-05-01 03:28
Location: Germany

Re: This is driving me crazy...

#4 Post by boco » 2020-04-03 21:40

Note: Please attach your pictures directly to your posts, external image hosters are not really allowed here and can vanish at any time. First time, I didn't even see there were any pictures, as I block third-party servers.

First picture: The settings here are completely wrong.
If you had followed the guide, you would have defined an ample Passive port range (numbers of listings and transfers all your users can do in 4 minutes and then some). One port does NOT work, few ports work badly!
Then, you would have told FileZilla Server your external IPv4. This is required, "Default" does not work behind NAT due to network segmentation.
Third, you would have opened ALL involved ports (listening ports and all Passive ports) in the firewall (TCP only).
Plus, you would have statically forwarded all involved ports in your router to the server machine (How should the router know where to send the arriving packets to?).

All things that are required, and the Network Configuration Guide tells you about them.

Second picture: FTP does only ever use TCP, all UDP-related configurations are completely unnecessary.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

txm1004
500 Command not understood
Posts: 5
Joined: 2013-01-30 10:53
First name: Thomas
Last name: M

Re: This is driving me crazy...

#5 Post by txm1004 » 2020-04-04 20:35

Sorry, boco, but I don't understand your responses.

I have another server with the exact same FZ client and server settings and the FTP connection (including Directory retrieval) works just fine...so when you say that these settings are wrong I'm thinking that can't be true since it works on the other server - I must have forgotten to set something else up on the server...just can't figure out what.

And sending a link to the entire documentation isn't much help either, of course.

User avatar
boco
Contributor
Posts: 25325
Joined: 2006-05-01 03:28
Location: Germany

Re: This is driving me crazy...

#6 Post by boco » 2020-04-04 23:55

Well, even your confusion is covered in the Network Configuration Guide, in the chapter about malicious routers and firewalls tampering with your FTP traffic.

1. For pure in-LAN usage (only local network from one machine to another), router configuration is not necessary, but you need to use the LAN IP addresses to connect successfully. Local firewalls still have to be configured.

2. Access over the Internet requires all that configuration, someone or something must do that configuration work.

What most probably causes your confusion is that for default FTP setups, the router (the cheap consumer crap one) will do it:
1. It will transparently forward ports.
2. It will auto-translate the IPs sent by server and client.
3. Probably some really nasty things in addition.

This will make it kinda "work" without yourself knowing why it does. While you might think such a mechanism is a good idea, it isn't. Disadvantages outweigh the advantages.
1. It obviously causes much confusion. We constantly have to explain to users why their wrong setups would never work on their own, only together with a router that expects and corrects wrong setups.
2. With such a routers, correct configuration of the server causes malfunction, as the devices are not smart enough to detect that and will apply their tampering nonetheless. In this case, they destroy the good setup.
3. The mechanism requires the router being able to read the FTP traffic. Surprise! FTP over TLS cannot be read by the router due the end-to-end encryption. The mechanism fails and you have to do the configuration work by yourself.
4. The mechanism usually only works on the default FTP port 21. Using a different port for security reasons will, again, require correct configuration.
5. For that reason, running a mixed FTP and FTPS setup on the default port 21 is hard to nigh impossible.

So, your other setup, while appearing to fully and correctly work, works only together with your router, and only in this one configuration. Switching to a different port or to FTP over TLS, will make it collapse like a house of cards.

And sending a link to the entire documentation isn't much help either, of course.
The Network Configuration Guide is the one and only resource you will need. Pointing to it is therefore the correct thing to do.
Setting up, running and maintaining a publicly available FTP server comes with responsibility (like with running any other type of server). You are responsible for keeping the server secure, failure to do so might put your and other user's machines at risk.

While it might sound a bit rude, if you cannot understand and follow that Guide, you simply should not run any servers. The FTP client can be operated safely out of the box, but operating the server requires administrative knowledge: "set it and forget it" doesn't work here, sorry.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Post Reply