Ftp between SCO. 550 Requested action not taken
Iain Sharp
I am trying to configure ftp between two SCO 5.0.6 machines, each with
a firewall and NAT in place.
I have worked out that I have to switch passive mode on, or remote
commands fail... (such as ls)
I can get files (using get), but when I try to put them (using put) it
returns the error message :-
550 Requested action not taken
I altered inetd.conf at the remote site, and added a -d to the ftpd.
syslog shows no indication of recieving the put command.
I have asked the remote site to check if their firewall could be
blocking this transaction (and the delete transaction which returns
the same error)
Where should I look next?
Iain Sharp
Matt Schalit
Increase the logging of all commands in /etc/ftpaccess,
log commands real,anonymous
You got a response from the server, "550 Requested action not taken."
I think it got the request. Perhaps you need to enable incoming
data to be put. Perhaps you need to allow delete, rename, chmod,
etc., in ftpaccess.
Regards,
Matthew
Iain Sharp
wrote:
Neither of these appear to have made a difference, to either the log
file or the actions.
Here's the transaction as it appears from either side.
Iain
My side of the transfer.
Connected to remoteserver.
220-
220 remoteserver FTP server (Version 2.1WU(1)+SCO-2.6.1+-sec) ready.
Name (remoteserver:localuser): remoteuser
331 Password required for remoteuser.
Password:
230 User remoteuser logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> lc <directory>
Local directory now <directory>
ftp> put wrapping.Z
local: wrapping.Z remote: wrapping.Z
227 Entering Passive Mode (nnn,nnn,nnn,nnn,212,194)
550 Requested action not taken
ftp> quit
221 Goodbye.
The remote log file (from /usr/adm/syslog)
Sep 28 09:50:09 remoteserver ftpd[1979]: Kerberos V5: error while
constructing principal name: Unknown code DCE:krb 135 (336760967)
Sep 28 09:50:09 remoteserver ftpd[1979]: <--- 220-
Sep 28 09:50:09 remoteserver ftpd[1979]:
Sep 28 09:50:09 remoteserver ftpd[1979]: <--- 220
Sep 28 09:50:09 remoteserver ftpd[1979]: remoteserver FTP server
(Version 2.1WU(1)+SCO-2.6.1+-sec) ready.
Sep 28 09:50:09 remoteserver ftpd[1979]: command: AUTH KERBEROS_V5^M
Sep 28 09:50:09 remoteserver ftpd[1979]: <--- 334
Sep 28 09:50:09 remoteserver ftpd[1979]: Using authentication type
KERBEROS_V5: ADAT must follow
Sep 28 09:50:11 remoteserver ftpd[1979]: command: USER username^M
Sep 28 09:50:11 remoteserver ftpd[1979]: <--- 331
Sep 28 09:50:11 remoteserver ftpd[1979]: Password required for
username.
Sep 28 09:50:11 remoteserver ftpd[1979]: USER username
Sep 28 09:50:12 remoteserver ftpd[1979]: command: PASS ****^M
Sep 28 09:50:12 remoteserver ftpd[1979]: PASS password
Sep 28 09:50:12 remoteserver ftpd[1979]: <--- 230
Sep 28 09:50:12 remoteserver ftpd[1979]: User username logged in.
Sep 28 09:50:12 remoteserver ftpd[1979]: command: SYST^M
Sep 28 09:50:12 remoteserver ftpd[1979]: SYST
Sep 28 09:50:12 remoteserver ftpd[1979]: <--- 215
Sep 28 09:50:12 remoteserver ftpd[1979]: UNIX Type: L8 (SCO UNIX
Release 3.2v5.0.6 [on PentIII], KID 2000-07-27).
Sep 28 09:50:13 remoteserver ftpd[1979]: command: TYPE I^M
Sep 28 09:50:13 remoteserver ftpd[1979]: TYPE Image
Sep 28 09:50:13 remoteserver ftpd[1979]: <--- 200
Sep 28 09:50:13 remoteserver ftpd[1979]: Type set to I.
Sep 28 09:50:33 remoteserver ftpd[1979]: command: PASV^M
Sep 28 09:50:33 remoteserver ftpd[1979]: PASV
Sep 28 09:50:33 remoteserver ftpd[1979]: <--- 227
Sep 28 09:50:33 remoteserver ftpd[1979]: Entering Passive Mode
(nnn,nnn,nnn,nnn,14,150)
Sep 28 09:51:50 remoteserver ftpd[1979]: command: QUIT^M
Sep 28 09:51:50 remoteserver ftpd[1979]: QUIT
Sep 28 09:51:50 remoteserver ftpd[1979]: <--- 221
Sep 28 09:51:50 remoteserver ftpd[1979]: Goodbye.
Matt Schalit
Ok, I don't see anything either, except for
the fact that the passive port's don't match.
One side says,
>227 Entering Passive Mode (nnn,nnn,nnn,nnn,212,194)
but the other side says,
>Sep 28 09:50:33 remoteserver ftpd[1979]: Entering Passive Mode (nnn,nnn,nnn,nnn,14,150)
Those translate into: 255 * 212 + 194 = 54254
and 255 * 14 + 150 = 3720
So one side is saying, "I'll listen for you to start a connection on
port 3720, but the other side got the message as, "I'll listen for you
to start a connection on port 54254."
Why the difference?
1) You cut and pasted the wrong log section.
2) You have a router doing NAT between server and client.
You'll have to enlighten us, before this is going to
make much sense. In addition, go ahead and post your
/etc/ftpaccess.
Good Luck,
Matt
Brian K. White
"Matt Schalit" <msch...@pacbell.net> wrote in message
news:3bb4b0c7...@news.sf.sbcglobal.net...
what kind of routers cause these problems?
I have most of my customers as well as myself set up with a unix server on a
non-routable lan with a router doing nat to a dsl or cable or t1, and the
routers are set to forward incoming traffic on some or all ports to the unix
box local IP
the routers are all different,
* a redhat 6.2 box here in my office
* cmmodity linksys, d-link, and netgear $150 wonder boxes
* dsl router/modems from netopia, flowpoint, lucent
in all cases I can ftp directly from one unix box behind nat, over internet,
to another unix box behind nat, without any trouble at all, either
direction... I do it all day every day.
the "unix" boxes are mostly open server 5.0.4, some 5.0.5, a few 5.0.6, a
few linux, and a few FreeBSD
I never explicitly configure any psssive options in the ftp clients, though
I never looked to see if they come configured for passive by default.
I never have trouble ftping from the windows machine on the lans either.
I have never touched an ftpaccess file in my life yet.
Just curious because I do see other people and various docs mention special
difficulties with ftp and nat, and I just have never seen any problem so
far.
Maybe I'm just lucky that I got in the game late enough that by now all
routers already include some kind of special knowledge of the ftp protocol
in order to automagically work around the problem? I know on linux, part of
the rc script that sets up the nat loads a special module for ftp along with
a few others, though I don't know what it does exactly. but on most of the
routers I set up, I just include port 21 as just another of the tcp ports to
forward into the unix box, without saying anything special about it.
--
Brian K. White -- br...@aljex.com -- http://www.aljex.com/bkw/
+++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
filePro BBx Linux SCO Prosper/FACTS AutoCAD #callahans Satriani
Matt Schalit
Ftp is a joyous protocol. It's so interesting that I ended up writing
a few things about it, one modestly called, "How FTP works," that
borrowed on the knowledge I learned from the Grasshopper book. Heh.
Luckily, Scott Best rewrote that. If you really want to know what's
going on, read his paper. Either way, I'll continue, below the link:
ftp://ftp.echogent.com/docs/FTP_and_Firewalls.pdf
As far as routers are concerned, there are four ftp scenerios
they'll see with or without NAT. Those four scenerios are much
more complicated with NAT.
The 4 FTP scenerios that can occur on the inside LAN:
-------------------------------------------------------------
1) An ftp client communicating in active mode.
2) An ftp client communicating in passive mode.
3) An ftp server communicating in active mode.
4) An ftp server communicating in passive mode.
To do this on a MASQ'd LAN,
* the router needs a ip_masq_ftp.o module for scenerio (1)
that scans for ftp client PORT commands, and opens up
a temporary hole in the firewall for the remote
ftpd's ip address to make a new data connection to
the ftp client's IP, on the port it snooped out of the
PORT command packet. The MS-DOS command line ftp program
is an example of this scenerio. It only does active ftp.
* the router needs nothing special for (2). Netscape and IE
are examples of this scenerio. The do passive ftp.
* the router needs port open to new connections and
a tunnel, perhaps using ipforward, mapping 21 <----> 21,
for scenerio (3).
* the router needs port 21 open and tunneled 21 <---> 21 for
new connections, the router needs a range of ports open and
tunneled one to one to the ftpd, like this:
50,000 - 50,200 <--------> 50,000 - 50,200
And then the ftpd itslef needs to have a command in it's
ftpaccess that tells the ftpd:
1) Passive requests from the internal LAN to the
internal ftpd are handled normally.
2) Passive requests from the Internet need to be
told the firewall's IP address is the one to
start the data connection to.
3) Passive requests from the Internet need to be
told to connect to one port on the firewall
that's within the range 50,000 through 50,200.
All this is done for scenerio (4).
>I have most of my customers as well as myself set up with a unix server on a
>non-routable lan with a router doing nat to a dsl or cable or t1, and the
>routers are set to forward incoming traffic on some or all ports to the unix
>box local IP
>
>the routers are all different,
> * a redhat 6.2 box here in my office
This would behave exactly as I desribed.
> * cmmodity linksys, d-link, and netgear $150 wonder boxes
These are different and don't firewall and tunnel like a
normal firewall does. They work by dynamic rulesets that
can create tunnels on the fly as they inspect the packets
going in and out. They are purposely built to make ftp
work on the fly. They are not good firewalls. I think
"wonder" is the appropriate term :)
> * dsl router/modems from netopia, flowpoint, lucent
Hard to catagorize, as I don't own them, but any item
these days can be made to take into account the four
scenerios. We're a long way away from three years ago.
>in all cases I can ftp directly from one unix box behind nat, over internet,
>to another unix box behind nat, without any trouble at all, either
>direction... I do it all day every day.
It's no fun to get bogged down in ftp nonsense.
Be happy that it works. If you're interested in
security and firewalls, though, you have a lot of
work to do. You'd at least need to understand
what's being blocked or not, and what's being
forwarded.
>the "unix" boxes are mostly open server 5.0.4, some 5.0.5, a few 5.0.6, a
>few linux, and a few FreeBSD
>
>I never explicitly configure any psssive options in the ftp clients, though
>I never looked to see if they come configured for passive by default.
If it's unix command line ftp, then it's active by default.
If it's ever using netscape, then that's passive by default.
>I never have trouble ftping from the windows machine on the lans either.
Same as above, except that the command line ftp is active only.
>I have never touched an ftpaccess file in my life yet.
That may be ok for some situations. Security through
obscurity has been known to work.
>Just curious because I do see other people and various docs mention special
>difficulties with ftp and nat, and I just have never seen any problem so
>far.
Make a joyful sound.
>Maybe I'm just lucky that I got in the game late enough that by now all
>routers already include some kind of special knowledge of the ftp protocol
>in order to automagically work around the problem? I know on linux, part of
>the rc script that sets up the nat loads a special module for ftp along with
>a few others, though I don't know what it does exactly. but on most of the
>routers I set up, I just include port 21 as just another of the tcp ports to
>forward into the unix box, without saying anything special about it.
>
>
>--
Ok then. Looks like a good place to stop.
Matt
Brian K. White
special
> >difficulties with ftp and nat, and I just have never seen any problem so
> >far.
>
>
> Make a joyful sound.
Will do!
Thanks, that was interesting and enlightening.