dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8808
share rss forum feed

Andymanmib

join:2003-06-22

FTP server doesn't work on port 21, works on other ports

I have FileZilla server running behind a router. I set it to listen on port 21. I also set it so passive mode clients would connect to port 1024 (I will never need to have more than one connection to it at once). I also enabled the setting so it would tell clients my correct public address, and not the local address of the server. I forwarded ports 21 and 1024 on my router to my server's local address.

When I would try to connect to the server from within my network using its local address (»ftp://192.168.1.2) it worked fine. But, outside my network, any web browser would prompt for a user name and password, then after logging in it would immediately say connection reset.

Then I changed my server to listen on port 555, and forwarded that port accrordingly, and it seems to work fine from outside my network.

Is AT&T treating traffic on port 21 differently than on other ports, for example port 555? It seems like port 21 is open, then once AT&T discovers FTP traffic, it resets the connection.

Thanks,
Andy


wayjac
Premium,MVM
join:2001-12-22
Indy
kudos:1
What happens with a session with another server

Andymanmib

join:2003-06-22
I just tried this little service from Firefox and it worked fine:
»www.secureftp-test.com/


wayjac
Premium,MVM
join:2001-12-22
Indy
kudos:1
reply to Andymanmib
said by Andymanmib:

Is AT&T treating traffic on port 21 differently than on other ports, for example port 555? It seems like port 21 is open, then once AT&T discovers FTP traffic, it resets the connection.
So this is not a problem anymore?

Andymanmib

join:2003-06-22
It works fine when I am a client, but I seem to be running into problems hosting an FTP server on port 21.


wayjac
Premium,MVM
join:2001-12-22
Indy
kudos:1
Are you using a dialup account to access the server

Andymanmib

join:2003-06-22
No, I'm just using my ".dyndns.org" hostname. I know for a fact when the server was listening on port 21 it doesn't work from the outside because I was at someone else's house. It didn't work from my local network when I used my hostname either. Now when I used my hostname from within my local network on port 555, it works. I am assuming this means it also works from the outside, but I have not actually tested that yet.

Andymanmib

join:2003-06-22
reply to Andymanmib
Okay I just did some testing on this. I had someone else on the phone, doing this in real time as I changed the settings.

FileZilla Listening port 21, port 21 forwarded in router:
user prompted for login, then connection is reset.

FileZilla Listening port 555, port 555 forwarded in route
(I had the person on the phone add :555 at the end of the URL):
user prompted for login, then connection goes through flawlessly.

Does this mean AT&T is trying to block people from running FTP servers? or is there some other explanation?

Here's the FileZilla server log as I was on the phone with my tester:

Creating listen socket on port 21...
Listen socket port changed
(000033) 8/23/2009 20:38:26 PM - (not logged in) (x.x.x.x)> Connected, sending welcome message...
(000033) 8/23/2009 20:38:26 PM - (not logged in) (x.x.x.x)> 220
(000033) 8/23/2009 20:38:26 PM - (not logged in) (x.x.x.x)> USER anonymous
(000033) 8/23/2009 20:38:26 PM - (not logged in) (x.x.x.x)> 331 Password required for anonymous
(000033) 8/23/2009 20:38:26 PM - (not logged in) (x.x.x.x)> PASS *******************
(000033) 8/23/2009 20:38:26 PM - (not logged in) (x.x.x.x)> 530 Login or password incorrect!
(000033) 8/23/2009 20:38:28 PM - (not logged in) (x.x.x.x)> USER eljanoson
(000033) 8/23/2009 20:38:28 PM - (not logged in) (x.x.x.x)> 331 Password required for eljanoson
(000033) 8/23/2009 20:38:28 PM - (not logged in) (x.x.x.x)> PASS *************
(000033) 8/23/2009 20:38:28 PM - eljanoson (x.x.x.x)> 230 Logged on
(000033) 8/23/2009 20:38:28 PM - eljanoson (x.x.x.x)> SYST
(000033) 8/23/2009 20:38:28 PM - eljanoson (x.x.x.x)> 215 UNIX emulated by FileZilla
(000033) 8/23/2009 20:38:28 PM - eljanoson (x.x.x.x)> PWD
(000033) 8/23/2009 20:38:28 PM - eljanoson (x.x.x.x)> 257 "/" is current directory.
(000033) 8/23/2009 20:38:28 PM - eljanoson (x.x.x.x)> TYPE I
(000033) 8/23/2009 20:38:28 PM - eljanoson (x.x.x.x)> 200 Type set to I
(000033) 8/23/2009 20:38:29 PM - eljanoson (x.x.x.x)> PASV
(000033) 8/23/2009 20:38:29 PM - eljanoson (x.x.x.x)> 227 Entering Passive Mode (x,x,x,x,21,179)
(000033) 8/23/2009 20:38:29 PM - eljanoson (x.x.x.x)> disconnected.
Retrieving settings, please wait...
Done retrieving settings
Sending settings, please wait...
Done sending settings.
Closing all listening sockets
Creating listen socket on port 555...
Listen socket port changed
(000034) 8/23/2009 20:39:19 PM - (not logged in) (x.x.x.x)> Connected, sending welcome message...
(000034) 8/23/2009 20:39:19 PM - (not logged in) (x.x.x.x)> 220
(000034) 8/23/2009 20:39:19 PM - (not logged in) (x.x.x.x)> USER anonymous
(000034) 8/23/2009 20:39:19 PM - (not logged in) (x.x.x.x)> 331 Password required for anonymous
(000034) 8/23/2009 20:39:19 PM - (not logged in) (x.x.x.x)> PASS *******************
(000034) 8/23/2009 20:39:19 PM - (not logged in) (x.x.x.x)> 530 Login or password incorrect!
(000034) 8/23/2009 20:39:34 PM - (not logged in) (x.x.x.x)> USER eljanoson
(000034) 8/23/2009 20:39:34 PM - (not logged in) (x.x.x.x)> 331 Password required for eljanoson
(000034) 8/23/2009 20:39:34 PM - (not logged in) (x.x.x.x)> PASS *************
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> 230 Logged on
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> SYST
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> 215 UNIX emulated by FileZilla
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> PWD
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> 257 "/" is current directory.
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> TYPE I
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> 200 Type set to I
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> PASV
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> 227 Entering Passive Mode (x,x,x,x,21,179)
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> SIZE /
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> 550 File not found
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> MDTM /
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> 550 File not found
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> RETR /
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> 550 File not found
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> PASV
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> 227 Entering Passive Mode (x,x,x,x,21,179)
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> CWD /
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> 250 CWD successful. "/" is current directory.
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> LIST
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> 150 Connection accepted
(000034) 8/23/2009 20:39:34 PM - eljanoson (x.x.x.x)> 226 Transfer OK
 


wayjac
Premium,MVM
join:2001-12-22
Indy
kudos:1
reply to Andymanmib
It's clear something is not right with your server
If you think
"AT&T is trying to block people from running FTP servers"
You can think that
If you ask me that question I'll say no I don't think that's the problem
I could ask you to try a ftp session with another server but you're convinced att is blocking ftp

Andymanmib

join:2003-06-22
I'm sorry if I seem to be jumping to conclusions. How do I try an FTP connection with another server? Do you just mean download a file over FTP from an outside server?


wayjac
Premium,MVM
join:2001-12-22
Indy
kudos:1
I can transfer files to and from a ftp server

You're saying that att is blocking ftp server standard ports hosted by att customers.
And until your ftp server works with port 21 att is blocking ftp

Andymanmib

join:2003-06-22
As far as I can tell, I am able to connect to other FTP servers as a client.

Can you or someone help me configure my server so I can use the standard port 21?


rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk
reply to Andymanmib
Not all FTP clients or servers are created equal. Using a browser to access the FTP server on port 21 may be causing an issue with your router/firewall functionality. It is possible the router is doing some sort of application layer inspection on port 21 for FTP and it doesn't like something in the browser request so it RSTs the connection. When you run it on another port it is possible the router is not inspecting for strict FTP protocol compliance.

If you PM me some test credentials I can run a demo and get a packet capture to further isolate what is happening.
--
Scott, CCIE #14618 Routing & Switching
Too bad those that know it all can't do it all.
»www.thewaystation.com/techref/tech.shtml
»blog.thewaystation.com/


rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk
Ok the problem is definitely on your end. No doubt about it. I can see the browser attempt the initial anonymous login and then I can see the auth credentials I entered. The browser client actually gets logged into your server as I get a 230 Logged on response. I then issue the SYST command to which your server responds 'UNIX emulated by FileZilla'. I then issue the PWD command and you respond with 257 "/" is current directory. My client then sets TYPE I for binary transfer mode. Your server responds with 200 Type set to I. My client then attempts to negotiate Passive mode with your server with the PASV command. Your server goes silent and does not respond. This could indicate either your server is not configured for Passive mode (doubtful) or your router/firewall is unable to handle the app layer port translation for Passive mode. My client issues the PASV command 3 times with no response, before your side sends me a RST packet within 4 seconds.

So, unless your router can support the FTP inspection function for Passive mode FTP on port 21, any clients will be required to use Active mode. Clients must be able to fall back to Active mode when you use the high port instead of port 21. I think when you use port 21 that the router is actively ruining the negotiation process because of lack of application layer inspection support.

I just tested in IE with Passive mode enabled and it failed. I then disabled Passive mode and it worked fine. So that pretty much nails the issue down right there.

FYI I think Firefox only provides for Passive FTP support if the clients must use a browser based client. So, in your case, they would have to use a browser like IE to force the Active mode behavior to connect on port 21.
--
Scott, CCIE #14618 Routing & Switching
Too bad those that know it all can't do it all.
»www.thewaystation.com/techref/tech.shtml
»blog.thewaystation.com/

Andymanmib

join:2003-06-22

1 edit
reply to Andymanmib
Here's our conversation. I'm posting it here in case it may help someone else in the future. He gives lots of useful information.

said by Andymanmib:

"your router/firewall is unable to handle the app layer port translation"

What does this mean, what kind of translation needs to take place?

BTW in my log this is what I see
(000042) 8/24/2009 1:38:30 AM - tester (xxxx)> PASV
(000042) 8/24/2009 1:38:30 AM - tester (xxxx)> 227 Entering Passive Mode (68,249,126,75,21,179)
(000042) 8/24/2009 1:38:30 AM - tester (xxxx)> disconnected.

So I'm guessing that means my server sent back an IP and port for your client to connect to, but my router didn't let it get through.

Also my router is a linksys WRT54G version 8.2
said by rolande:

Your assumption is correct. Passive mode performs a port and IP negotiation for the client to connect to on the server. Your router/firewall must understand this application layer communication in order to open the "pinhole" in the firewall to allow the client to come inbound to the public IP on the negotiated port. My client never even sees the PORT response from your server which would indicate your router is dropping the response since you are seeing my PASV request on your server log. The router/firewall has to understand the protocol well enough to open the dynamic port for translation. It is quite possible the router does not support Passive mode so instead of helping the client out by denying the initial Passive request it just drops the response from your server

said by Andymanmib:

That makes a lot of sense. Thank you so much for all your help. I guess I'll just have to keep on using a non-standard port.
said by rolande:

Clients probably default to Active mode on non-standard ports which helps things out. The only other option is to find a router/firewall that can support a fully compliant FTP inspection feature for port 21

Glad I could help. I have a done a significant amount of support for FTP through proxy services in Enterprise environments so I have seen just about every stupid caveat there is out there. It is a nightmare to support because everyone configures and uses it differently. There are only so many incarnations that can be easily supported before you enter ridiculous territory.
said by Andymanmib:

WOW! It looks like my router is smarter than I thought. After finding this post, I realized my router does indeed support passive FTP
»linux.derkeiler.com/Newsgroups/c···322.html
But for that to work, the ftp server has to give out its LOCAL ip address. Then my router replaces the local IP with the public IP, and sets up the port translation accordingly.

So the problem was my server sending out this:
(68.249.126.75)> 227 Entering Passive Mode (68,249,126,75,21,179)

instead of this:
68.249.126.75)> 227 Entering Passive Mode (192,168,1,2,21,179)

Thanks again for all your help!!!