dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
33416
share rss forum feed


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

FTP and the LinkSys Router

Running FTP clients and servers with the LinkSys routers is a real quagmire. The FTP protocol is an old and strange one to deal with. Here's my findings (mostly based on f/w 1.37):

FTP CLIENTS behind the LinkSys - Standard Port 21

The LinkSys firmware actually does address translating of FTP commands (the PORT command in particular) and forwards accordingly. To connect to standard port 21 FTP servers on the internet, full functionality for FTP clients should work.

FTP CLIENTS behind the LinkSys - Non-Standard Ports

Unlike standard port 21, the LinkSys does NOT translate the FTP "PORT" command on other ports. The only way a client behind a LinkSys router can connect to an FTP server on a non-standard port is to use PASV mode.

FTP SERVERS behind the LinkSys - Any Port

Just the opposite of the client case, when a server is behind the LinkSys it can NOT do PASV mode for the outside world. Notice the irony - if both client AND server are behind LinkSys' AND non-standard ports are used, no connection can be made easily. Standard Port 21 is the only quick way.

Why can't clients and servers connect?

In the case when the CLIENT is behind the LinkSys, and PASV is not used, the client may use a PORT command to send an address. Only on standard port 21 does the LinkSys translate the LAN address to the needed WAN address.

In the case when the SERVER is behind the LinkSys, and the client uses PASV, the server must respond to the PASV command with an address. The LinkSys will not translate this reply properly so the other end gets the server's LAN address instead if the needed WAN address.

Note: Serv-U has a setting "IP For Passive Mode" that gets around this - but that's only half the battle.

Can I run an FTP server behind a LinkSys that covers all cases?

I have, but with mixed results. Here's what I did:

1). Use Serv-U and set the "IP For Passive Mode" to your WAN address.

2). Put the FTP server in the DMZ.

3). You can forward the FTP port (21 or whatever) but this is redundant since the box is in the DMZ.

That's for servers, what about clients?

The LinkSys handles clients well as long as it's standard port 21. Other ports I know of no way other than you MUST use PASV mode.

What is PASV mode?

PASV (passive) mode was designed for clients behind firewalls. When NOT using PASV mode the client actually becomes a server for the data channel (that's right!). Since firewalls typically prevent this, PASV mode is used and this switches the data channel to be served by the server side.

Browsers (like Netscape and MSIE) may use PASV mode exclusively but it's really been pot-luck. I found MSIE 5.5 has a setting that seems to lie about what it uses. Most ftp programs (like CuteFTP and WS_FTP) can be set to run PASV or not.

See what I mean about FTP being such a strange protocol?

What does that "PORT" command do?

Clients *may* use the PORT command when NOT running PASV to tell the other end what address and port they will be listening on. Again, the LinkSys only translates this command on standard port 21 (else, the server gets your LAN address which doesn't work!).

How can I tell what's happening in my system?

Many clients and servers can log or view the FTP session. Take a look and you may see when things go bad. Chances are they are after a PORT or PASV command.

Is there any hope for FTP servers and clients on the LinkSys?

LinkSys is trying SPI (Stateful Packet Inspection) techniques. It's possible they will start translating ALL of the FTP commands. Currently, they only do client commands (PORT) on port 21. Time will tell if they actually add other ports and the SERVER commands (PASV), too.

All Comments, Corrections and Bitches Welcomed.
--
Hardware: Computer parts that can be kicked.
Software: Computer parts this hardware guy would like to make kickable.

[text was edited by author 2001-04-13 16:20:27]

strayman

join:2000-08-02
Boca Raton, FL
Cool, just the problem I was having.


snapcase$
Mod 2002
join:2001-02-20
Purgatory
reply to Bill_MI
Excellent information, Bill. Thumbs up!


solipsist
Premium
join:2000-12-09
Middle Village, NY
reply to Bill_MI
very good indeed


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

reply to Bill_MI

Updated Info for SERVERS behind the LinkSys

said by Bill_MI:
Serv-U has a setting "IP For Passive Mode" that gets around this - but that's only half the battle.
ADDITIONAL INFO: I just found out BPFTP (formerly G6 but now at »www.bpftpserver.com for $20 30-day trial) version 2.10 has new features:

PASV IP (like Serv-U Set this to your WAN address!)
Plus just what I was asking for...
PASV Port Range (See Below)
(EDIT: I'm now told older version 2.0 has these, too.)

The latter is nice because you can coordinate a range to forward and not have to be set DMZ to "cover-them-all" so to speak. A server on port 8888 and a PASV port range of 8889-8900 should be able to handle 12 PASV connections and the LinkSys need only forward the 13-port range 8888-8900.

No, I haven't fully tested it yet but this looks like the best I can find. Please let me know if YOU find other servers with these golden features.
[text was edited by author 2001-04-25 03:12:35]


m0p

join:2000-05-11
Hawley, PA
yippee yahooo-eee . .
the Serv-U 3.0 Beta 13 has a PASV port range setting that works beautifully behind my linky.
I forward one port for the active ftp port i am using at the time, and choose a range that Serv-U will limit PASV mode to,
and forward that range through the linky. DMZ not needed, thank sh33p. you can get this beta version at their site.

just do a little digging like I did.


master0fpuppets
--
___________________________________
do not meddle in the affairs of cats, for they are spiteful, and will piss all over your keyboard.
______________________________


pdodd

join:2001-04-07
Arbuckle, CA
reply to Bill_MI
I got BPFTP server and it worked fine, but had a problem viewing large directories. They came up empty with an error message. BTFTP's support responded in less that one day and gave me a preview version 2.15 which fixes the problem.


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..
I'm finally getting time to look at version 2.10. First indication is it works great! Thanks for the heads up about 2.15.
--
Hardware: Computer parts that can be kicked.
Software: Computer parts this hardware guy would like to make kickable.


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

reply to m0p
said by m0ppy:
yippee yahooo-eee . .
the Serv-U 3.0 Beta 13 has a PASV port range setting that works beautifully behind my linky.
Thanks m0ppy! Sorry, I missed your post before (dangit!) and this is good news, indeed! I'm compiling this info for the FAQ but the best update would be LinkSys changes f/w to translate all these commands .
--
Hardware: Computer parts that can be kicked.
Software: Computer parts this hardware guy would like to make kickable.

[text was edited by author 2001-05-05 13:11:34]


pdodd

join:2001-04-07
Arbuckle, CA
reply to Bill_MI
BPFTP 2.15 is now officially released. You can get it at »www.bpftpserver.com


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

Another update: WU-ftpd and MSIE 5.5/SP1

I'm told but did not confirm the popular Linux server WU-ftpd also has PASV IP and Port Range. See the documentation.

Thanks to some testing with CyberStretch it appears MSIE 5.5/SP1 PASV mode now works like it should (MSIE as an ftp client was unpredictable in the past).

Is this a dynamic topic or what?
[text was edited by author 2001-05-06 15:23:04]


Frostbite

join:2000-06-13
Marlborough, MA

Re: Another update: wu-ftp and MSIE 5.5/SP1

You really need to be on your toes with WU-ftpd. The daemon has had more holes than swiss cheese over its long history. (WU-ftpd runs on varied UNIX systems, of which Linux is one, and is popular amongst the do-it-yourself group.)

On the topic of UNIX ftp daemons, DJBernstein's publicfile ftp server will probably not run on the Linky41. It doesn't support active FTP sessions, and doesn't permit you to specify a port range for PASV sessions. DJB considers active FTP a security risk, because binding to port 20 on UNIX systems means having to retain root privileges, which means the server could be easily taken over by any exploits which happened to come along.
--
-Frosty

[text was edited by author 2001-05-06 14:09:56]


radmish
Hi

join:2000-04-15
Oakland, NJ
reply to Bill_MI

Re: Updated Info for SERVERS behind the LinkSys

I tried the pasv port range with bftp from 8888-8900
but it seems to try to connect to random ports instead of those still.. so it doesn't work


pdodd

join:2001-04-07
Arbuckle, CA
Have you tried non-passive mode?


radmish
Hi

join:2000-04-15
Oakland, NJ
said by pdodd:
Have you tried non-passive mode?
yup it just behaves then same way too. Trying to use seemingly random ports to transfer with.


pdodd

join:2001-04-07
Arbuckle, CA
Does it matter what ports are used? I have only port 21 forwarded to my FTP server and it is not the DMZ host. It works fine as long as the client doesn't use passive transfers.


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

reply to radmish
said by radmish:
I tried the pasv port range with bftp from 8888-8900 but it seems to try to connect to random ports instead of those still.. so it doesn't work
What port are you looking at? The client source port to your 8888 initially is random. *If* the client sends a PASV command, your server's reply (from a BPFTP log) should be something like:

Entering Passive Mode (64,12,34,56,34,194)

This translates to...
IP: 64.12.34.56 (your WAN IP if you set it up right)
Port: 34x256 + 194 = 8898

Not easily seen... the PASV port is sort of buried in there. Is this what you see?
[text was edited by author 2001-05-07 00:23:43]


radmish
Hi

join:2000-04-15
Oakland, NJ
ahh SO I am getting the right port but its not working. I get this when I try to ftp to it.
STATUS:> Retrieving directory listing...
COMMAND:> PASV
227 Entering Passive Mode (x,x,x,x,34,193).
COMMAND:> LIST
STATUS:> Connecting data socket...
ERROR:> Timeout


IP has been censored with x's


radmish
Hi

join:2000-04-15
Oakland, NJ
I got it to work If i disable PASV mode in cuteftp then it works, or if I have PASV enabled and check Force RFC compliant PASV mode.


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..
said by radmish:
...and check Force RFC compliant PASV mode.
This is a good example how clients have their own legacy of tricks for ftp - it's no wonder ftp is such a voodoo science. I wonder what the "non-compliant" behavior is when that box is NOT checked .


devildude

join:2001-08-11
i cant connect to ftp even when changing all sorts of options in 3 ftp apps, the most annoying thing is that i know whats wrong but cant fix it!

The problem is the port command because it uses the internal ip instead of the external ip - anyone know how to get ftp apps to use the external ip?


radmish
Hi

join:2000-04-15
Oakland, NJ
in bullet proof ftp set your pasv ip to your ip on the internet


DeeC
Premium
join:2000-09-01
the world
kudos:1
Too bad it can't update pasv ip like DynSite Client does for hosts/dynamic IPs or something. Hey, can someone test out my PASV mode for me?

thanks.

Sephiroth79

join:2000-10-21
Canada
reply to radmish
Allright for setting the WAN PASV IP in BPFTP.. but what if I'm stuck with a dynamic IP from my DSL provider?


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..
Good point. Dynamic IPs are a problem so far.

Even if there were some dynIP sensing/awareness added I keep thinking of what happens at the IP change... for a few minutes someone else may get the IP you *were* using and these paranoid monitors will see an "attack" coming in (sigh).

Bottom Line: LinkSys, please support FTP - the oldest legacy file transfer protocol on the net!!!


DeeC
Premium
join:2000-09-01
the world
kudos:1
YES! YES! ....please! Do something about this!

Dee


DeeC
Premium
join:2000-09-01
the world
kudos:1
reply to Sephiroth79
Hun, that is what we are b*tching (er, talking) about - You will have to manually update BPFTP each time. Their is NO client that will update PASV IP to match your changed Dynamic IP (in BPFTP).

Now, on the other end - We should be writing BPFTP and ask them to allow a "host name" in that PASV area, as then you could use a DynDNS client to keep the "host name" pointing to right IP DynSite Software is superb for this (and specifically supports Linky routers)....Any helpers in this?

thanks.....;)

Dee


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

That's a good idea, Dee and solves the dynDNS issue. Still, it's more complex band-aides when LinkSys could be doing it in their firmware. Maybe LinkSys will get it in about the time FTP is obsolete (2009??? ).

Edited for FAT-FINGERS
[text was edited by author 2001-08-12 10:14:42]

moclvland

join:2000-11-16
Cleveland, OH
reply to Bill_MI

Re: FTP and the LinkSys Router

Everyone here is talking about running an FTP server behind Linksys. How about trying to connect to an FTP site from behind a linksys and to make things more complicated the FTP port is set to 21000 not 21. I have set the software to PAS mode and get logged in but it always returns the following error:

500 Invalid PORT Command.
! Failed "port":
! Retrieve of folder listing failed (0)
I guess its trying to connect to the internal number not the external number. Is there anyway to get this to work. Isn't the bullet proof software just for the server side not the client side?


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..
Welcome to FTPLand .

What client is that? If it's sending a PORT command it's *not* in PASV or the client is one of those testing on its own - I've seen both this happening.

Even with the latest LinkSys f/w port 21000 (or anything but 21) a client is stuck where it *must* use PASV - with one exception...

Yes, BulletProof has both a server and a client. Since I saw their client I've tried to be careful to say BPFTPServer which is formerly G6FTP (Gene-6) and an excellent product IMHO.

Their client... well... it seems to work . I really didn't like it BUT it has the capability of specifying PORT ports and IPs - making it the only client I know of that can do PORT mode thru a LinkSys on non-standard ports.

I know verbiage is strange here - if PORT/port doesn't get you BPFTP server/client will. Fun, eh?