still having ftp issue
Chris
problem). I am trying to get ftp proxy working.
Per Craig's advise I have only one ftp filter
(ftp-port-pasv-st) from public to public. The proxy appears
to be setup properly as I can log into external proxy sites.
However, I cannot list the contents of the external ftp
site directory. I get disconnected after about 30 seconds.
With ipflt unloaded the connection and listing is almost
instantaneous. Not sure why I can connect but not list the
directory???????????
Any thoughts? Thanks, Chris.
Craig Johnson
someone else reading here will see what is going on - it may save
headaches for others).
The public/public part is for inbound or outbound proxy-related
traffic. (Depends if you set a source or destination IP address).
Is there a chance this is not standard FTP?
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***
Chris
I am trying to setup an ftp proxy on our BM39sp2 server. As
part of the proxy setup I have set the ftp-port-pasv-st
filter from public to public. I have also added an ftp
access rule to allow traffic from my admin workstation
(source ip). User authentication is set to none.
Given the above I then attempt to connect to our web host
site via ftp to update some files. I use the FireFTP plugin
to Firefox. Login goes fine but then the session dies on
LIST:
false 903
FireFTP 1.0.6 'Human Being' created by Mime Čuvalo
220 Service Ready
USER XXX...@www.vrapc.com
331 Password required for XXXXXXXX
PASS (password not shown)
230 User vrapc logged in
FEAT
211-Features:
MDTM
MFMT
MFF modify;UNIX.group;UNIX.mode;
MLST
modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNI
X.owner*;
REST STREAM
SIZE
211 End
PWD
257 "/" is the current directory
TYPE A
200 Type set to A
PORT 10,1,1,199,14,194
200 PORT command successful
LIST
QUIT
As shown above the session dies after the list command is
issues. Unloading ipflt results in:
200 PORT command successful
LIST
150 Opening ASCII mode data connection for file list
226 Transfer complete
Hope this description makes sense, Chris.
>>> On 10/5/2009 at 4:51 PM, in message
<VA.000043e...@ix.netcom.com>, Craig
Craig Johnson
> Given the above I then attempt to connect to our web host
> site via ftp to update some files. I use the FireFTP plugin
> to Firefox. Login goes fine but then the session dies on
> LIST:
>
the ftp proxy. (The syntax is complicated). You are probably just
trying to connect directly to the origin FTP server, and it works when
you drop the filters. One way to test that theory is to add another
ftp-port-pasv-st filter exception from private to public, and see if
ftp works. If so, you're jus trying to go out via NAT.
Do you have a copy of my BMgr 3.x book? I have several examples in
there that show how to use FTP Proxy, with and without authentication.
You probably want to test with DOS FTP at first - if you can do that,
you'll understand how the syntax works.
Chris
> Do you have a copy of my BMgr 3.x book? I have several
> examples in
> there that show how to use FTP Proxy, with and without
> authentication.
> You probably want to test with DOS FTP at first - if you
> can do that,
> you'll understand how the syntax works.
>
Yes, of course I do. It is the first thing I consult. I
can usually figure most things out from your examples, but
this ftp one is really annoying.
BTW, I dumped the proxy and changed the filter
(ftp-port-pasv-st) from private to public. Same results:
Can connect but the ls command fails.
Craig Johnson
> BTW, I dumped the proxy and changed the filter
> (ftp-port-pasv-st) from private to public. Same results:
> Can connect but the ls command fails.
>
Chris
tested with another site (don't ask me why it took this long
to try) and everything works fine. But I thought the
port-pasv filter took care of all that??
>>> On 10/7/2009 at 7:49 PM, in message
<VA.000043e...@ix.netcom.com>, Craig
Johnson<cra...@ix.netcom.com> wrote:
Chris
>>> On 10/7/2009 at 7:49 PM, in message
<VA.000043e...@ix.netcom.com>, Craig
Johnson<cra...@ix.netcom.com> wrote:
Chris
me thinking it may be my provider's problem. Sure enough
they have a separate ftp site setup for people connecting
from behind corporate firewalls like BM. Gave the new site
a try and bingo.
What a freakin' PITA and waste of time.
Thanks again for your help.
One last thing. For those reading this thread and have not
purchased Craig's book, go buy it now! It is one way of
saying thanks to Craig for his help on this forum.
>>> On 10/7/2009 at 7:49 PM, in message
<VA.000043e...@ix.netcom.com>, Craig
Johnson<cra...@ix.netcom.com> wrote:
Craig Johnson
> SOLVED. Craig. Thanks for your time. Your last post got
> me thinking it may be my provider's problem. Sure enough
> they have a separate ftp site setup for people connecting
> from behind corporate firewalls like BM. Gave the new site
> a try and bingo.
Ah - thanks for the feedback!
On the filtering end, if you have more than one stateful FTP filter
exception, and they overlap (same source & destination), I've seen them
interfere with each other. Just the one ftp-port-pasv-st exception
should work, but adding an ftp-port-st into the mix can break things.
When a client hires me to look at their filtering issues, this is one
of the things I look for.
>
> One last thing. For those reading this thread and have not
> purchased Craig's book, go buy it now! It is one way of
> saying thanks to Craig for his help on this forum.
>
Thanks! (Yes, it would help...)