FTP hell: Active/Passive/EPSV not understood

Greetings:

I am not a network administrator but only a desktop administrator, so
the FTP passive.active mode issue still confuses me. I don't need to
configure any servers or firewalls, just want to be able to download
Mozilla.

I often have the "EPSV command not understood" problem when attempting
to FTP. Now I have discovered that sometimes it happens, sometimes it
doesn't, even on the same site (ftp.mozilla.org). Is this problem
related to the configuration of the firewall through which I am trying
to ftp, or the configuration of the remote ftp server, or both? I need
to know who to complain to when it isn't working.

I have read some things saying that the firewall must implement
"connection tracking" or something or other in order for ftp users to
now have such headaches. Is this all there is to it, or are there
server-side configuration requirements too?

Here is a recent transaction, in which the commands I type are working
but they wait an awfully long time before I get the returned data.

crcarle@mango:/home.hda6/crcarle$ ftp ftp.mozilla.org
Trying 129.79.5.133...
Connected to mozilla.ussg.indiana.edu.
220 "[PUBLIC-CLASS] IU-USSG Public Software Mirror"
Name (ftp.mozilla.org:crcarle): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||18370|)
500 Bad EPRT protocol.
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
dr-x------ 3 ftp ftp 42 Dec 31 00:24 iu-only
-rw-r--r-- 1 ftp ftp 220 Feb 02 18:16 iu-only.README
lrwxrwxrwx 1 ftp ftp 17 Dec 26 20:09 linux ->
pub/array2/linux/
drwxr-xr-x 20 ftp ftp 4096 Jan 21 16:09 pub
drwx------ 3 ftp ftp 22 Feb 09 22:32 test
226 Directory send OK.
ftp> PASV
?Invalid command.
ftp> passive
Passive mode: on; fallback to active mode: on.
ftp> ls
227 Entering Passive Mode (129,79,5,133,84,6)
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
dr-x------ 3 ftp ftp 42 Dec 31 00:24 iu-only
-rw-r--r-- 1 ftp ftp 220 Feb 02 18:16 iu-only.README
lrwxrwxrwx 1 ftp ftp 17 Dec 26 20:09 linux ->
pub/array2/linux/
drwxr-xr-x 20 ftp ftp 4096 Jan 21 16:09 pub
drwx------ 3 ftp ftp 22 Feb 09 22:32 test
226 Directory send OK.
ftp>

This experience was particularly puzzling because just a few minutes
before, I logged into mozilla.org, typed "ls" and got the "EPSV command
not understood" followed by long hang problem.

Any education you can provide this user about how to work through ftp
difficulties would be appreciated.

Thanks.

Good day!


--
____________________________________
Christopher R. Carlen
Principal Laser/Optical Technologist
Sandia National Laboratories CA USA
(E-Mail Removed)

Chris Carlen <(E-Mail Removed)> wrote:

> I often have the "EPSV command not understood" problem when attempting
> to FTP. Now I have discovered that sometimes it happens, sometimes it
> doesn't, even on the same site (ftp.mozilla.org).

ftp.mozilla.org rotates through various servers, as shown by host

$ host ftp.mozilla.org
ftp.mozilla.org has address 128.193.0.3
ftp.mozilla.org has address 129.79.5.133
ftp.mozilla.org has address 130.207.108.135
ftp.mozilla.org has address 207.200.85.49
ftp.mozilla.org has address 64.12.168.21
ftp.mozilla.org has address 64.12.168.243

It may be that some are using different FTP software/configuration,
which is quite possible, as the first doesn't even accept the user
guest (which is synonomous with 'anonymous').

You seem to have been using the second server, which works for me ok in
passive mode, and I don't get any messages about EPSV.

> Is this problem related to the configuration of the firewall through
> which I am trying to ftp

It's possible, although if you can ftp to another site and use passive
mode, it should be fine.

> I have read some things saying that the firewall must implement
> "connection tracking" or something or other in order for ftp users to
> now have such headaches. Is this all there is to it, or are there
> server-side configuration requirements too?

For stateful firewalls, the firewall would have to track the FTP session
to figure out what port it should go to, although it doesn't look like
that is your problem.

If that doesn't work, I'm sure you can download it using http.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

Chris Carlen wrote:
> Greetings:
>
> I am not a network administrator but only a desktop administrator, so
> the FTP passive.active mode issue still confuses me. I don't need to
> configure any servers or firewalls, just want to be able to download
> Mozilla.
>
> I often have the "EPSV command not understood" problem when attempting
> to FTP. Now I have discovered that sometimes it happens, sometimes it
> doesn't, even on the same site (ftp.mozilla.org). Is this problem
> related to the configuration of the firewall through which I am trying
> to ftp, or the configuration of the remote ftp server, or both? I need
> to know who to complain to when it isn't working.
>
> I have read some things saying that the firewall must implement
> "connection tracking" or something or other in order for ftp users to
> now have such headaches. Is this all there is to it, or are there
> server-side configuration requirements too?
>
> Here is a recent transaction, in which the commands I type are working
> but they wait an awfully long time before I get the returned data.
>
> crcarle@mango:/home.hda6/crcarle$ ftp ftp.mozilla.org
> Trying 129.79.5.133...
> Connected to mozilla.ussg.indiana.edu.
> 220 "[PUBLIC-CLASS] IU-USSG Public Software Mirror"
> Name (ftp.mozilla.org:crcarle): anonymous
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 229 Entering Extended Passive Mode (|||18370|)
> 500 Bad EPRT protocol.
> 200 PORT command successful. Consider using PASV.
> 150 Here comes the directory listing.
> dr-x------ 3 ftp ftp 42 Dec 31 00:24 iu-only
> -rw-r--r-- 1 ftp ftp 220 Feb 02 18:16 iu-only.README
> lrwxrwxrwx 1 ftp ftp 17 Dec 26 20:09 linux ->
> pub/array2/linux/
> drwxr-xr-x 20 ftp ftp 4096 Jan 21 16:09 pub
> drwx------ 3 ftp ftp 22 Feb 09 22:32 test
> 226 Directory send OK.
> ftp> PASV
> ?Invalid command.
> ftp> passive
> Passive mode: on; fallback to active mode: on.
> ftp> ls
> 227 Entering Passive Mode (129,79,5,133,84,6)
> 200 PORT command successful. Consider using PASV.
> 150 Here comes the directory listing.
> dr-x------ 3 ftp ftp 42 Dec 31 00:24 iu-only
> -rw-r--r-- 1 ftp ftp 220 Feb 02 18:16 iu-only.README
> lrwxrwxrwx 1 ftp ftp 17 Dec 26 20:09 linux ->
> pub/array2/linux/
> drwxr-xr-x 20 ftp ftp 4096 Jan 21 16:09 pub
> drwx------ 3 ftp ftp 22 Feb 09 22:32 test
> 226 Directory send OK.
> ftp>
>
> This experience was particularly puzzling because just a few minutes
> before, I logged into mozilla.org, typed "ls" and got the "EPSV command
> not understood" followed by long hang problem.
>
> Any education you can provide this user about how to work through ftp
> difficulties would be appreciated.
>
> Thanks.
>
> Good day!
>
>

i once had similar problems. so maybee the following will help.
i could hardly use ftp out, and other could not use passive ftp in.

the problem was that i did not have the ip_nat_ftp, and the
ip_conntrack_ftp enabled.

to enable it i added the following two lines into the beginning if my
firewall script (on redhat it could be /etc/rc.d/init.d/firewall), both
on desktops and on all routing mashines:

insmod ip_nat_ftp
insmod ip_conntrack_ftp



after that i re-run the firewall script (or restart it).
then all works.

Cameron Kerr wrote:
> Chris Carlen <(E-Mail Removed)> wrote:
>
>
>>I often have the "EPSV command not understood" problem when attempting
>>to FTP. Now I have discovered that sometimes it happens, sometimes it
>>doesn't, even on the same site (ftp.mozilla.org).
>
>
> ftp.mozilla.org rotates through various servers, as shown by host
>
> $ host ftp.mozilla.org
> ftp.mozilla.org has address 128.193.0.3
> ftp.mozilla.org has address 129.79.5.133
> ftp.mozilla.org has address 130.207.108.135
> ftp.mozilla.org has address 207.200.85.49
> ftp.mozilla.org has address 64.12.168.21
> ftp.mozilla.org has address 64.12.168.243
>
> It may be that some are using different FTP software/configuration,
> which is quite possible, as the first doesn't even accept the user
> guest (which is synonomous with 'anonymous').
>
> You seem to have been using the second server, which works for me ok in
> passive mode, and I don't get any messages about EPSV.

Wow, I didn't even know about "host" and to think, I even set up my own
LAN at home with DSL, firewall/router. I only knew to "ping" to find
out IPs, which obviously doesn't reveal multiple servers.

>>Is this problem related to the configuration of the firewall through
>>which I am trying to ftp
>
> It's possible, although if you can ftp to another site and use passive
> mode, it should be fine.

Yes.

>>I have read some things saying that the firewall must implement
>>"connection tracking" or something or other in order for ftp users to
>>now have such headaches. Is this all there is to it, or are there
>>server-side configuration requirements too?
>
>
> For stateful firewalls, the firewall would have to track the FTP session
> to figure out what port it should go to, although it doesn't look like
> that is your problem.
>
> If that doesn't work, I'm sure you can download it using http.

Yes, http works. Why doesn't Mozilla.org use that by default? Does
http require twice the bandwidth? I think it does because it's text and
thus 7-bit, needing two bytes of net data transfer for every 8-bit data
byte, correct?

Thanks for the input.

Good day!


--
____________________________________
Christopher R. Carlen
Principal Laser/Optical Technologist
Sandia National Laboratories CA USA
(E-Mail Removed)

stig wrote:
> i once had similar problems. so maybee the following will help.
> i could hardly use ftp out, and other could not use passive ftp in.
>
> the problem was that i did not have the ip_nat_ftp, and the
> ip_conntrack_ftp enabled.
>
> to enable it i added the following two lines into the beginning if my
> firewall script (on redhat it could be /etc/rc.d/init.d/firewall), both
> on desktops and on all routing mashines:
>
> insmod ip_nat_ftp
> insmod ip_conntrack_ftp

Hmm, I'll have to check those on my home firewall, which I have control
of. Maybe it would help there, as when I set it up the only thing I
could understand was "black hole mode" which is the highest security,
but sometimes wreaks havoc on FTP.

Can you tell me, are these modules associated with only iptables, or do
they also work with ipchains? I suspect they only work with iptables,
since that is state capable, which ipchains isn't, correct?
Unfortunately if that is the case, I am using ipchains.

But the issue I am having now is at work where I can't control the
firewall. I'm just a user here.

> after that i re-run the firewall script (or restart it).
> then all works.

Thanks for the input.

Good day!


--
____________________________________
Christopher R. Carlen
Principal Laser/Optical Technologist
Sandia National Laboratories CA USA
(E-Mail Removed)

Chris Carlen <(E-Mail Removed)> wrote:

> Yes, http works. Why doesn't Mozilla.org use that by default? Does
> http require twice the bandwidth? I think it does because it's text and
> thus 7-bit, needing two bytes of net data transfer for every 8-bit data
> byte, correct?

No, http is 8-bit clean (it sends binary objects all the time, consider
jpeg images et al.)

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

stig <_(E-Mail Removed)> wrote:

> the problem was that i did not have the ip_nat_ftp, and the
> ip_conntrack_ftp enabled.
>
> to enable it i added the following two lines into the beginning if my
> firewall script (on redhat it could be /etc/rc.d/init.d/firewall), both
> on desktops and on all routing mashines:
>
> insmod ip_nat_ftp
> insmod ip_conntrack_ftp

Neither of these should be required an a modern system. I never have to
add it to mine, and the modules are all loaded automatically by kmod

Mind you, I have neither of those modules loaded currently, and I don't
have any problems using passive ftp. Mind you, passive ftp was designed
for that scenario (behind firewalls).

You should only need to have connection tracking enabled for machines
that have firewall rulesets.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!