Andymanmib
join:2003-06-22
|  FTP server doesn't work on port 21, works on other ports
I have FileZilla server running behind a router. I set it to listen on port 21. I also set it so passive mode clients would connect to port 1024 (I will never need to have more than one connection to it at once). I also enabled the setting so it would tell clients my correct public address, and not the local address of the server. I forwarded ports 21 and 1024 on my router to my server's local address.
When I would try to connect to the server from within my network using its local address (»ftp://192.168.1.2) it worked fine. But, outside my network, any web browser would prompt for a user name and password, then after logging in it would immediately say connection reset.
Then I changed my server to listen on port 555, and forwarded that port accrordingly, and it seems to work fine from outside my network.
Is AT&T treating traffic on port 21 differently than on other ports, for example port 555? It seems like port 21 is open, then once AT&T discovers FTP traffic, it resets the connection.
Thanks,
Andy |
|
wayjac
Premium,MVM
join:2001-12-22
Indy | What happens with a session with another server |
|
Andymanmib
join:2003-06-22 | I just tried this little service from Firefox and it worked fine:
»www.secureftp-test.com/ |
|
wayjac
Premium,MVM
join:2001-12-22
Indy
 ·AT&T Midwest
| reply to Andymanmib
said by Andymanmib  :Is AT&T treating traffic on port 21 differently than on other ports, for example port 555? It seems like port 21 is open, then once AT&T discovers FTP traffic, it resets the connection. So this is not a problem anymore? |
|
Andymanmib
join:2003-06-22 | It works fine when I am a client, but I seem to be running into problems hosting an FTP server on port 21. |
|
wayjac
Premium,MVM
join:2001-12-22
Indy | Are you using a dialup account to access the server |
|
Andymanmib
join:2003-06-22
| No, I'm just using my ".dyndns.org" hostname. I know for a fact when the server was listening on port 21 it doesn't work from the outside because I was at someone else's house. It didn't work from my local network when I used my hostname either. Now when I used my hostname from within my local network on port 555, it works. I am assuming this means it also works from the outside, but I have not actually tested that yet. |
|
Andymanmib
join:2003-06-22
| reply to Andymanmib
Okay I just did some testing on this. I had someone else on the phone, doing this in real time as I changed the settings.
FileZilla Listening port 21, port 21 forwarded in router:
user prompted for login, then connection is reset.
FileZilla Listening port 555, port 555 forwarded in route
(I had the person on the phone add :555 at the end of the URL):
user prompted for login, then connection goes through flawlessly.
Does this mean AT&T is trying to block people from running FTP servers? or is there some other explanation?
Here's the FileZilla server log as I was on the phone with my tester:
|
|
wayjac
Premium,MVM
join:2001-12-22
Indy
·AT&T Midwest
| reply to Andymanmib
It's clear something is not right with your server
If you think
"AT&T is trying to block people from running FTP servers"
You can think that
If you ask me that question I'll say no I don't think that's the problem
I could ask you to try a ftp session with another server but you're convinced att is blocking ftp |
|
Andymanmib
join:2003-06-22 | I'm sorry if I seem to be jumping to conclusions. How do I try an FTP connection with another server? Do you just mean download a file over FTP from an outside server? |
|
wayjac
Premium,MVM
join:2001-12-22
Indy | I can transfer files to and from a ftp server
You're saying that att is blocking ftp server standard ports hosted by att customers.
And until your ftp server works with port 21 att is blocking ftp |
|
Andymanmib
join:2003-06-22 | As far as I can tell, I am able to connect to other FTP servers as a client.
Can you or someone help me configure my server so I can use the standard port 21? |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| reply to Andymanmib
Not all FTP clients or servers are created equal. Using a browser to access the FTP server on port 21 may be causing an issue with your router/firewall functionality. It is possible the router is doing some sort of application layer inspection on port 21 for FTP and it doesn't like something in the browser request so it RSTs the connection. When you run it on another port it is possible the router is not inspecting for strict FTP protocol compliance.
If you PM me some test credentials I can run a demo and get a packet capture to further isolate what is happening.
--
Scott, CCIE #14618 Routing & Switching
Too bad those that know it all can't do it all.
»www.thewaystation.com/techref/tech.shtml
»blog.thewaystation.com/ |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| Ok the problem is definitely on your end. No doubt about it. I can see the browser attempt the initial anonymous login and then I can see the auth credentials I entered. The browser client actually gets logged into your server as I get a 230 Logged on response. I then issue the SYST command to which your server responds 'UNIX emulated by FileZilla'. I then issue the PWD command and you respond with 257 "/" is current directory. My client then sets TYPE I for binary transfer mode. Your server responds with 200 Type set to I. My client then attempts to negotiate Passive mode with your server with the PASV command. Your server goes silent and does not respond. This could indicate either your server is not configured for Passive mode (doubtful) or your router/firewall is unable to handle the app layer port translation for Passive mode. My client issues the PASV command 3 times with no response, before your side sends me a RST packet within 4 seconds.
So, unless your router can support the FTP inspection function for Passive mode FTP on port 21, any clients will be required to use Active mode. Clients must be able to fall back to Active mode when you use the high port instead of port 21. I think when you use port 21 that the router is actively ruining the negotiation process because of lack of application layer inspection support.
I just tested in IE with Passive mode enabled and it failed. I then disabled Passive mode and it worked fine. So that pretty much nails the issue down right there.
FYI I think Firefox only provides for Passive FTP support if the clients must use a browser based client. So, in your case, they would have to use a browser like IE to force the Active mode behavior to connect on port 21.
--
Scott, CCIE #14618 Routing & Switching
Too bad those that know it all can't do it all.
»www.thewaystation.com/techref/tech.shtml
»blog.thewaystation.com/ |
|
Andymanmib
join:2003-06-22
1 edit | reply to Andymanmib
Here's our conversation. I'm posting it here in case it may help someone else in the future. He gives lots of useful information.
said by Andymanmib :"your router/firewall is unable to handle the app layer port translation" What does this mean, what kind of translation needs to take place? BTW in my log this is what I see (000042) 8/24/2009 1:38:30 AM - tester (xxxx)> PASV (000042) 8/24/2009 1:38:30 AM - tester (xxxx)> 227 Entering Passive Mode (68,249,126,75,21,179) (000042) 8/24/2009 1:38:30 AM - tester (xxxx)> disconnected. So I'm guessing that means my server sent back an IP and port for your client to connect to, but my router didn't let it get through. Also my router is a linksys WRT54G version 8.2 said by rolande :Your assumption is correct. Passive mode performs a port and IP negotiation for the client to connect to on the server. Your router/firewall must understand this application layer communication in order to open the "pinhole" in the firewall to allow the client to come inbound to the public IP on the negotiated port. My client never even sees the PORT response from your server which would indicate your router is dropping the response since you are seeing my PASV request on your server log. The router/firewall has to understand the protocol well enough to open the dynamic port for translation. It is quite possible the router does not support Passive mode so instead of helping the client out by denying the initial Passive request it just drops the response from your server said by Andymanmib :That makes a lot of sense. Thank you so much for all your help. I guess I'll just have to keep on using a non-standard port.  said by rolande :Clients probably default to Active mode on non-standard ports which helps things out. The only other option is to find a router/firewall that can support a fully compliant FTP inspection feature for port 21  Glad I could help. I have a done a significant amount of support for FTP through proxy services in Enterprise environments so I have seen just about every stupid caveat there is out there. It is a nightmare to support because everyone configures and uses it differently. There are only so many incarnations that can be easily supported before you enter ridiculous territory. said by Andymanmib :WOW! It looks like my router is smarter than I thought. After finding this post, I realized my router does indeed support passive FTP » linux.derkeiler.com/Newsgroups/c···322.htmlBut for that to work, the ftp server has to give out its LOCAL ip address. Then my router replaces the local IP with the public IP, and sets up the port translation accordingly. So the problem was my server sending out this: (68.249.126.75)> 227 Entering Passive Mode (68,249,126,75,21,179) instead of this: 68.249.126.75)> 227 Entering Passive Mode (192,168,1,2,21,179) Thanks again for all your help!!! |
|
