Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
 ·Comcast
|  FTP and the LinkSys Router
Running FTP clients and servers with the LinkSys routers is a real quagmire. The FTP protocol is an old and strange one to deal with. Here's my findings (mostly based on f/w 1.37):
FTP CLIENTS behind the LinkSys - Standard Port 21
The LinkSys firmware actually does address translating of FTP commands (the PORT command in particular) and forwards accordingly. To connect to standard port 21 FTP servers on the internet, full functionality for FTP clients should work.
FTP CLIENTS behind the LinkSys - Non-Standard Ports
Unlike standard port 21, the LinkSys does NOT translate the FTP "PORT" command on other ports. The only way a client behind a LinkSys router can connect to an FTP server on a non-standard port is to use PASV mode.
FTP SERVERS behind the LinkSys - Any Port
Just the opposite of the client case, when a server is behind the LinkSys it can NOT do PASV mode for the outside world. Notice the irony - if both client AND server are behind LinkSys' AND non-standard ports are used, no connection can be made easily. Standard Port 21 is the only quick way.
Why can't clients and servers connect?
In the case when the CLIENT is behind the LinkSys, and PASV is not used, the client may use a PORT command to send an address. Only on standard port 21 does the LinkSys translate the LAN address to the needed WAN address.
In the case when the SERVER is behind the LinkSys, and the client uses PASV, the server must respond to the PASV command with an address. The LinkSys will not translate this reply properly so the other end gets the server's LAN address instead if the needed WAN address.
Note: Serv-U has a setting "IP For Passive Mode" that gets around this - but that's only half the battle.
Can I run an FTP server behind a LinkSys that covers all cases?
I have, but with mixed results. Here's what I did:
1). Use Serv-U and set the "IP For Passive Mode" to your WAN address.
2). Put the FTP server in the DMZ.
3). You can forward the FTP port (21 or whatever) but this is redundant since the box is in the DMZ.
That's for servers, what about clients?
The LinkSys handles clients well as long as it's standard port 21. Other ports I know of no way other than you MUST use PASV mode.
What is PASV mode?
PASV (passive) mode was designed for clients behind firewalls. When NOT using PASV mode the client actually becomes a server for the data channel (that's right!). Since firewalls typically prevent this, PASV mode is used and this switches the data channel to be served by the server side.
Browsers (like Netscape and MSIE) may use PASV mode exclusively but it's really been pot-luck. I found MSIE 5.5 has a setting that seems to lie about what it uses. Most ftp programs (like CuteFTP and WS_FTP) can be set to run PASV or not.
See what I mean about FTP being such a strange protocol?
What does that "PORT" command do?
Clients *may* use the PORT command when NOT running PASV to tell the other end what address and port they will be listening on. Again, the LinkSys only translates this command on standard port 21 (else, the server gets your LAN address which doesn't work!).
How can I tell what's happening in my system?
Many clients and servers can log or view the FTP session. Take a look and you may see when things go bad. Chances are they are after a PORT or PASV command.
Is there any hope for FTP servers and clients on the LinkSys?
LinkSys is trying SPI (Stateful Packet Inspection) techniques. It's possible they will start translating ALL of the FTP commands. Currently, they only do client commands (PORT) on port 21. Time will tell if they actually add other ports and the SERVER commands (PASV), too.
All Comments, Corrections and Bitches Welcomed.
--
Hardware: Computer parts that can be kicked.
Software: Computer parts this hardware guy would like to make kickable.
[text was edited by author 2001-04-13 16:20:27] |
|
strayman
join:2000-08-02
Boca Raton, FL |  Cool, just the problem I was having.  |
|
snapcase$
Mod 2002
join:2001-02-20
Purgatory | reply to Bill_MI
Excellent information, Bill. Thumbs up! |
|
solipsist
Premium
join:2000-12-09
Middle Village, NY
clubs: | reply to Bill_MI
very good indeed |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·Comcast
| reply to Bill_MI
Updated Info for SERVERS behind the LinkSys
said by Bill_MI:
Serv-U has a setting "IP For Passive Mode" that gets around this - but that's only half the battle.
ADDITIONAL INFO: I just found out BPFTP (formerly G6 but now at »www.bpftpserver.com for $20 30-day trial) version 2.10 has new features:
PASV IP (like Serv-U Set this to your WAN address!)
Plus just what I was asking for...
PASV Port Range (See Below)
(EDIT: I'm now told older version 2.0 has these, too.)
The latter is nice because you can coordinate a range to forward and not have to be set DMZ to "cover-them-all" so to speak. A server on port 8888 and a PASV port range of 8889-8900 should be able to handle 12 PASV connections and the LinkSys need only forward the 13-port range 8888-8900.
No, I haven't fully tested it yet but this looks like the best I can find. Please let me know if YOU find other servers with these golden features.
[text was edited by author 2001-04-25 03:12:35] |
|
m0ppy
join:2000-05-11
Hawley, PA
| yippee yahooo-eee . .
the Serv-U 3.0 Beta 13 has a PASV port range setting that works beautifully behind my linky.
I forward one port for the active ftp port i am using at the time, and choose a range that Serv-U will limit PASV mode to,
and forward that range through the linky. DMZ not needed, thank sh33p. you can get this beta version at their site.
just do a little digging like I did.
master0fpuppets
--
___________________________________
do not meddle in the affairs of cats, for they are spiteful, and will piss all over your keyboard.
______________________________ |
|
pdodd
join:2001-04-07
Arbuckle, CA | reply to Bill_MI
I got BPFTP server and it worked fine, but had a problem viewing large directories. They came up empty with an error message. BTFTP's support responded in less that one day and gave me a preview version 2.15 which fixes the problem. |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·Comcast
| I'm finally getting time to look at version 2.10. First indication is it works great! Thanks for the heads up about 2.15.
--
Hardware: Computer parts that can be kicked.
Software: Computer parts this hardware guy would like to make kickable. |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·Comcast
| reply to m0ppy
said by m0ppy:
yippee yahooo-eee . .
the Serv-U 3.0 Beta 13 has a PASV port range setting that works beautifully behind my linky.
Thanks m0ppy! Sorry, I missed your post before (dangit!) and this is good news, indeed! I'm compiling this info for the FAQ but the best update would be LinkSys changes f/w to translate all these commands .
--
Hardware: Computer parts that can be kicked.
Software: Computer parts this hardware guy would like to make kickable.
[text was edited by author 2001-05-05 13:11:34] |
|
pdodd
join:2001-04-07
Arbuckle, CA | reply to Bill_MI
BPFTP 2.15 is now officially released. You can get it at »www.bpftpserver.com |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·Comcast
| Another update: WU-ftpd and MSIE 5.5/SP1
I'm told but did not confirm the popular Linux server WU-ftpd also has PASV IP and Port Range. See the documentation.
Thanks to some testing with CyberStretch it appears MSIE 5.5/SP1 PASV mode now works like it should (MSIE as an ftp client was unpredictable in the past).
Is this a dynamic topic or what?
[text was edited by author 2001-05-06 15:23:04] |
|
Frostbite
join:2000-06-13
Framingham, MA
clubs:
| Re: Another update: wu-ftp and MSIE 5.5/SP1
You really need to be on your toes with WU-ftpd. The daemon has had more holes than swiss cheese over its long history. (WU-ftpd runs on varied UNIX systems, of which Linux is one, and is popular amongst the do-it-yourself group.)
On the topic of UNIX ftp daemons, DJBernstein's publicfile ftp server will probably not run on the Linky41. It doesn't support active FTP sessions, and doesn't permit you to specify a port range for PASV sessions. DJB considers active FTP a security risk, because binding to port 20 on UNIX systems means having to retain root privileges, which means the server could be easily taken over by any exploits which happened to come along.
--
-Frosty
[text was edited by author 2001-05-06 14:09:56] |
|
radmish
Hi
join:2000-04-15
Oakland, NJ | reply to Bill_MI
Re: Updated Info for SERVERS behind the LinkSys
I tried the pasv port range with bftp from 8888-8900
but it seems to try to connect to random ports instead of those still.. so it doesn't work  |
|
pdodd
join:2001-04-07
Arbuckle, CA | Have you tried non-passive mode? |
|
radmish
Hi
join:2000-04-15
Oakland, NJ | said by pdodd:
Have you tried non-passive mode?
yup it just behaves then same way too. Trying to use seemingly random ports to transfer with. |
|
pdodd
join:2001-04-07
Arbuckle, CA | Does it matter what ports are used? I have only port 21 forwarded to my FTP server and it is not the DMZ host. It works fine as long as the client doesn't use passive transfers. |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·Comcast
| reply to radmish
said by radmish:
I tried the pasv port range with bftp from 8888-8900 but it seems to try to connect to random ports instead of those still.. so it doesn't work
What port are you looking at? The client source port to your 8888 initially is random. *If* the client sends a PASV command, your server's reply (from a BPFTP log) should be something like:
Entering Passive Mode (64,12,34,56,34,194)
This translates to...
IP: 64.12.34.56 (your WAN IP if you set it up right)
Port: 34x256 + 194 = 8898
Not easily seen... the PASV port is sort of buried in there. Is this what you see?
[text was edited by author 2001-05-07 00:23:43] |
|
radmish
Hi
join:2000-04-15
Oakland, NJ
| ahh  SO I am getting the right port but its not working. I get this when I try to ftp to it.
STATUS:> Retrieving directory listing...
COMMAND:> PASV
227 Entering Passive Mode (x,x,x,x,34,193).
COMMAND:> LIST
STATUS:> Connecting data socket...
ERROR:> Timeout
IP has been censored with x's |
|
radmish
Hi
join:2000-04-15
Oakland, NJ | I got it to work If i disable PASV mode in cuteftp then it works, or if I have PASV enabled and check Force RFC compliant PASV mode. |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·Comcast
| said by radmish:
...and check Force RFC compliant PASV mode.
This is a good example how clients have their own legacy of tricks for ftp - it's no wonder ftp is such a voodoo science. I wonder what the "non-compliant" behavior is when that box is NOT checked . |
|
