glen herrmannsfeldt wrote 2013-05-20 22:32:
> Jan-Erik Soderholm <
jan-erik....@telia.com> wrote:
>> David Froble wrote 2013-05-20 21:29:
>>> Jan-Erik Soderholm wrote:
>
> (snip)
>>>> It's setup when the connection is created inthe first place.
>
> (snip)
>>>> I get the same "problem". I can not use the CLI FTP tool in Win7
>>>> against a local VMS system if I do not shutdown the Win7 firewall. I
>>>> tried to disable the "File Transfer" iten (which seems to run the
>>>> /windows/system32/ftp.exe program) but that didn't help.
>
> (snip)
>>> Maybe this is sort of like teaching you to walk and chew
>>> gum at the same time. If so, I apologize.
>
>>> The "known" port for FTP is used for commands. FTP then opens another
>>> random port for data transfer. At least this is my understanding. If
>>> I'm wrong, well, it sure won't be the first time.
>
>> Yes, the FTP client listening on some "high" port number and also
>> sends that port number over to the other side to start sending to.
>
> Yes. But the confusing part for firewalls is that the connection
> comes from the server back to the client. That is, the first
> packet of the connection is sent from the server.
Correct, and the firewall (any firewall looking at traffic from
the server back to the client) has to pass that. And it does
work if one configures the Windows firewall to accept it.
I though that is was more or less standard to accept incomming
calls to un-priviliged ports (ports above 1023, right?).
>
>> In *passive* mode it does not. Passive mode uses the standard
>> (already opened) channel to transfer the data. More or less.
>
> But, last I knew, the MS ftp client didn't support it.
>
Correct. Forgot to mention that. Reflection FTP has a check
box for "use passive mode", and it works.
Now, I didn't investigate it fully, but there seems to be
different defaults for "File Transfer" in the Win7 firewall
between "Private Networks" and "Workplace" (and I guess
"Public Network"). But no matter what the default is, it
does look as you would be able to change it.
> But wget does, so I use that instead.
>
>>> So, if VMS tries to open some random port back on the
>>> weendoze system,...
>
>> Not random! It opens the port the FTP client on Windows has
>> asked it to open.
>
> Well, usually the port is supplied by the OS, and, at least in
> recent years it is supposed to be random. There are some attacks
> that work by being able to predict the port that will be used
> for a connection. Some systems would assign them, for example,
> sequentially making them easy to predict.
It's not random to the VMS system, it is told which port to use.
It is the client that picks a random port (or get it from the OS).
But maybe we are talking about the same thing... :-)
>
>> Note that this worked when the Windows firewall is configured to
>> accept a call according to the "File Transfer" rule. The rule
>> has to be enabled and it has to be configured to "accept".
>> Or the firewall has to be (temporarily) disabled.
>
> If VMS supports passive, find a client, such as wget, that
> supports it. Much easier that way.
>
Now, I have HGFTP on my system together with TCPIP FTP so
I might mix them up, but one of them supports passive... :-)
Regards,
Jan-Erik.
> -- glen
>