Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   vsftpd and active mode connections causes FTP session to hang (http://www.linux-archive.org/centos/101673-vsftpd-active-mode-connections-causes-ftp-session-hang.html)

John R Pierce 06-06-2008 03:04 AM

vsftpd and active mode connections causes FTP session to hang
 
Filipe Brandenburger wrote:

On Thu, Jun 5, 2008 at 2:05 PM, Timothy Selivanow
<timothy.selivanow@virtualxistenz.com> wrote:


things like 'put' and 'get', etc.), the connection hangs. If you wait a
bit it returns with a "425 Failed to establish connection". I've tried



Is the FTP client behind NAT? If it is then active FTP won't work,
since the client will request the server to connect to the internal
IP.




its somewhat more complex than that. many NAT boxes (home routers,
etc) recognize FTP on port 21, and monitor the PORT commands, and mangle
them automatically. A linux masquerading server can do this too, with
the right ip_masq module. if the FTP is running on a nonstandard
port other than 21, the automagic stuff won't work. If the FTP
/server/ is behind NAT using a port forward, it also gets messy.

there's a detailed discussion of these and other salient points here,
http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html it bears
reading carefully.



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Timothy Selivanow 06-06-2008 07:30 PM

vsftpd and active mode connections causes FTP session to hang
 
On Thu, 2008-06-05 at 20:04 -0700, John R Pierce wrote:
> Filipe Brandenburger wrote:
> > On Thu, Jun 5, 2008 at 2:05 PM, Timothy Selivanow
> > <timothy.selivanow@virtualxistenz.com> wrote:
> >
> >> things like 'put' and 'get', etc.), the connection hangs. If you wait a
> >> bit it returns with a "425 Failed to establish connection". I've tried
> >>
> >
> > Is the FTP client behind NAT? If it is then active FTP won't work,
> > since the client will request the server to connect to the internal
> > IP.
> >
>
>
> its somewhat more complex than that. many NAT boxes (home routers,
> etc) recognize FTP on port 21, and monitor the PORT commands, and mangle
> them automatically. A linux masquerading server can do this too, with
> the right ip_masq module. if the FTP is running on a nonstandard
> port other than 21, the automagic stuff won't work. If the FTP
> /server/ is behind NAT using a port forward, it also gets messy.
>
> there's a detailed discussion of these and other salient points here,
> http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html it bears
> reading carefully.

There's no NAT'ing occuring in my tests (all machines, including my
workstation are not using RFC1918 addresses, some of the core routing
infrastructure is, but it's all routable and not NAT'd). There are
various routers and firewalls between my workstation and the hosts, but
all ACL's and firewall rule sets allow my traffic unimpeded to my
testing hosts and the customer's hosts.

The frustrating thing is, it happens on all of the CentOS 5 machines
I've tested on.


--Tim
____________________________________________
< Invest in physics -- own a piece of Dirac! >
--------------------------------------------


/
( )
.( o ).

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 12:37 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.