FTP hell: Active/Passive/EPSV not understood

Discussion in 'Linux Networking' started by Chris Carlen, Feb 10, 2004.

  1. Chris Carlen

    Chris Carlen Guest

    Greetings:

    I am not a network administrator but only a desktop administrator, so
    the FTP passive.active mode issue still confuses me. I don't need to
    configure any servers or firewalls, just want to be able to download
    Mozilla.

    I often have the "EPSV command not understood" problem when attempting
    to FTP. Now I have discovered that sometimes it happens, sometimes it
    doesn't, even on the same site (ftp.mozilla.org). Is this problem
    related to the configuration of the firewall through which I am trying
    to ftp, or the configuration of the remote ftp server, or both? I need
    to know who to complain to when it isn't working.

    I have read some things saying that the firewall must implement
    "connection tracking" or something or other in order for ftp users to
    now have such headaches. Is this all there is to it, or are there
    server-side configuration requirements too?

    Here is a recent transaction, in which the commands I type are working
    but they wait an awfully long time before I get the returned data.

    [email protected]:/home.hda6/crcarle$ ftp ftp.mozilla.org
    Trying 129.79.5.133...
    Connected to mozilla.ussg.indiana.edu.
    220 "[PUBLIC-CLASS] IU-USSG Public Software Mirror"
    Name (ftp.mozilla.org:crcarle): anonymous
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> ls
    229 Entering Extended Passive Mode (|||18370|)
    500 Bad EPRT protocol.
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    dr-x------ 3 ftp ftp 42 Dec 31 00:24 iu-only
    -rw-r--r-- 1 ftp ftp 220 Feb 02 18:16 iu-only.README
    lrwxrwxrwx 1 ftp ftp 17 Dec 26 20:09 linux ->
    pub/array2/linux/
    drwxr-xr-x 20 ftp ftp 4096 Jan 21 16:09 pub
    drwx------ 3 ftp ftp 22 Feb 09 22:32 test
    226 Directory send OK.
    ftp> PASV
    ?Invalid command.
    ftp> passive
    Passive mode: on; fallback to active mode: on.
    ftp> ls
    227 Entering Passive Mode (129,79,5,133,84,6)
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    dr-x------ 3 ftp ftp 42 Dec 31 00:24 iu-only
    -rw-r--r-- 1 ftp ftp 220 Feb 02 18:16 iu-only.README
    lrwxrwxrwx 1 ftp ftp 17 Dec 26 20:09 linux ->
    pub/array2/linux/
    drwxr-xr-x 20 ftp ftp 4096 Jan 21 16:09 pub
    drwx------ 3 ftp ftp 22 Feb 09 22:32 test
    226 Directory send OK.
    ftp>

    This experience was particularly puzzling because just a few minutes
    before, I logged into mozilla.org, typed "ls" and got the "EPSV command
    not understood" followed by long hang problem.

    Any education you can provide this user about how to work through ftp
    difficulties would be appreciated.

    Thanks.

    Good day!


    --
    ____________________________________
    Christopher R. Carlen
    Principal Laser/Optical Technologist
    Sandia National Laboratories CA USA
     
    Chris Carlen, Feb 10, 2004
    #1
    1. Advertisements

  2. Chris Carlen

    Cameron Kerr Guest

    ftp.mozilla.org rotates through various servers, as shown by host

    $ host ftp.mozilla.org
    ftp.mozilla.org has address 128.193.0.3
    ftp.mozilla.org has address 129.79.5.133
    ftp.mozilla.org has address 130.207.108.135
    ftp.mozilla.org has address 207.200.85.49
    ftp.mozilla.org has address 64.12.168.21
    ftp.mozilla.org has address 64.12.168.243

    It may be that some are using different FTP software/configuration,
    which is quite possible, as the first doesn't even accept the user
    guest (which is synonomous with 'anonymous').

    You seem to have been using the second server, which works for me ok in
    passive mode, and I don't get any messages about EPSV.
    It's possible, although if you can ftp to another site and use passive
    mode, it should be fine.
    For stateful firewalls, the firewall would have to track the FTP session
    to figure out what port it should go to, although it doesn't look like
    that is your problem.

    If that doesn't work, I'm sure you can download it using http.
     
    Cameron Kerr, Feb 11, 2004
    #2
    1. Advertisements

  3. Chris Carlen

    stig Guest

    i once had similar problems. so maybee the following will help.
    i could hardly use ftp out, and other could not use passive ftp in.

    the problem was that i did not have the ip_nat_ftp, and the
    ip_conntrack_ftp enabled.

    to enable it i added the following two lines into the beginning if my
    firewall script (on redhat it could be /etc/rc.d/init.d/firewall), both
    on desktops and on all routing mashines:

    insmod ip_nat_ftp
    insmod ip_conntrack_ftp



    after that i re-run the firewall script (or restart it).
    then all works.
     
    stig, Feb 11, 2004
    #3
  4. Chris Carlen

    Chris Carlen Guest

    Wow, I didn't even know about "host" and to think, I even set up my own
    LAN at home with DSL, firewall/router. I only knew to "ping" to find
    out IPs, which obviously doesn't reveal multiple servers.
    Yes, http works. Why doesn't Mozilla.org use that by default? Does
    http require twice the bandwidth? I think it does because it's text and
    thus 7-bit, needing two bytes of net data transfer for every 8-bit data
    byte, correct?

    Thanks for the input.

    Good day!


    --
    ____________________________________
    Christopher R. Carlen
    Principal Laser/Optical Technologist
    Sandia National Laboratories CA USA
     
    Chris Carlen, Feb 11, 2004
    #4
  5. Chris Carlen

    Chris Carlen Guest

    Hmm, I'll have to check those on my home firewall, which I have control
    of. Maybe it would help there, as when I set it up the only thing I
    could understand was "black hole mode" which is the highest security,
    but sometimes wreaks havoc on FTP.

    Can you tell me, are these modules associated with only iptables, or do
    they also work with ipchains? I suspect they only work with iptables,
    since that is state capable, which ipchains isn't, correct?
    Unfortunately if that is the case, I am using ipchains.

    But the issue I am having now is at work where I can't control the
    firewall. I'm just a user here.
    Thanks for the input.

    Good day!


    --
    ____________________________________
    Christopher R. Carlen
    Principal Laser/Optical Technologist
    Sandia National Laboratories CA USA
     
    Chris Carlen, Feb 11, 2004
    #5
  6. Chris Carlen

    Cameron Kerr Guest

    No, http is 8-bit clean (it sends binary objects all the time, consider
    jpeg images et al.)
     
    Cameron Kerr, Feb 12, 2004
    #6
  7. Chris Carlen

    Cameron Kerr Guest

    Neither of these should be required an a modern system. I never have to
    add it to mine, and the modules are all loaded automatically by kmod

    Mind you, I have neither of those modules loaded currently, and I don't
    have any problems using passive ftp. Mind you, passive ftp was designed
    for that scenario (behind firewalls).

    You should only need to have connection tracking enabled for machines
    that have firewall rulesets.
     
    Cameron Kerr, Feb 12, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.