why connection doesn’t go on with LIST directories ?

Home Forums General Firewall Help why connection doesn’t go on with LIST directories ?

  • This topic is empty.
Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #27963
    Anonymous
    Participant

    Hello, just installed Cerberus.

    I have a router and the IP for PASV is the correct address of the router.

    The ruter is NAT enabled, port 21&22 redirected on this computer, port 80 on other computer on the LAN.

    The structure of virtual directory is composed, following the root /, by five folders located in two HDs.

    The accesses are one for anonymous and one for user with PWD.

    This is a log for two connections as I usually get,

    Why the connection doesn’t go on with the list of directories and allow to browse in them and the connection fails.

    Thanks for your help.


    Tue Aug 12 17:11:28 2003 Vendor: GenuineIntel

    Tue Aug 12 17:11:28 2003 CPU: Intel Celeron

    Tue Aug 12 17:11:28 2003 Number of Processors: 1

    Tue Aug 12 17:11:28 2003 Operating System: Microsoft Windows 98

    Tue Aug 12 17:11:28 2003 Cerberus FTP Server started

    Tue Aug 12 17:11:28 2003 Local Host: 192

    Tue Aug 12 17:11:28 2003 Local Interface 0 located at 192.168.0.3

    Tue Aug 12 17:11:28 2003 Listening on Port 21

    Tue Aug 12 17:13:19 2003 0 Incoming connection request on interface 192.168.0.3

    Tue Aug 12 17:13:19 2003 0 Connection request accepted from 80.23.152.41

    Tue Aug 12 17:13:19 2003 0 USER anonymous

    Tue Aug 12 17:13:19 2003 0 230 User anonymous logged in

    Tue Aug 12 17:13:19 2003 0 OPTS utf8 on

    Tue Aug 12 17:13:19 2003 0 502 Unrecognized or unsupported command

    Tue Aug 12 17:13:19 2003 0 SYST

    Tue Aug 12 17:13:19 2003 0 215 UNIX Type: L8

    Tue Aug 12 17:13:19 2003 0 SITE help

    Tue Aug 12 17:13:19 2003 0 502 No site commands are currently implimented

    Tue Aug 12 17:13:20 2003 0 PWD

    Tue Aug 12 17:13:20 2003 0 257 “/” is the current directory

    Tue Aug 12 17:13:20 2003 0 NOOP

    Tue Aug 12 17:13:20 2003 0 200 NOOP command received

    Tue Aug 12 17:13:20 2003 0 CWD /

    Tue Aug 12 17:13:20 2003 0 250 Change directory ok

    Tue Aug 12 17:13:20 2003 0 TYPE A

    Tue Aug 12 17:13:20 2003 0 200 Type ASCII

    Tue Aug 12 17:13:21 2003 0 PORT 80,23,152,41,40,219

    Tue Aug 12 17:13:21 2003 0 200 Port command received

    Tue Aug 12 17:13:21 2003 0 LIST

    Tue Aug 12 17:13:21 2003 0 Data connection established

    Tue Aug 12 17:13:21 2003 0 150 Opening data connection

    Tue Aug 12 17:13:21 2003 0 The data connection was closed by the remote socket

    Tue Aug 12 17:13:21 2003 0 500 List command failed

    Tue Aug 12 17:14:23 2003 1 Incoming connection request on interface 192.168.0.3

    Tue Aug 12 17:14:23 2003 1 Connection request accepted from 80.23.152.41

    Tue Aug 12 17:14:23 2003 1 USER fabri

    Tue Aug 12 17:14:23 2003 1 331 User fab Ok, password please

    Tue Aug 12 17:14:23 2003 1 PASS ***********

    Tue Aug 12 17:14:23 2003 1 230 Password Ok, User logged in

    Tue Aug 12 17:14:23 2003 1 OPTS utf8 on

    Tue Aug 12 17:14:23 2003 1 502 Unrecognized or unsupported command

    Tue Aug 12 17:14:23 2003 1 SYST

    Tue Aug 12 17:14:23 2003 1 215 UNIX Type: L8

    Tue Aug 12 17:14:23 2003 1 SITE help

    Tue Aug 12 17:14:23 2003 1 502 No site commands are currently implimented

    Tue Aug 12 17:14:24 2003 1 PWD

    Tue Aug 12 17:14:24 2003 1 257 “/” is the current directory

    Tue Aug 12 17:14:24 2003 1 TYPE A

    Tue Aug 12 17:14:24 2003 1 200 Type ASCII

    Tue Aug 12 17:14:24 2003 1 PORT 80,23,152,41,40,225

    Tue Aug 12 17:14:24 2003 1 200 Port command received

    Tue Aug 12 17:14:24 2003 1 LIST

    Tue Aug 12 17:14:24 2003 1 Data connection established

    Tue Aug 12 17:14:24 2003 1 150 Opening data connection

    Tue Aug 12 17:14:24 2003 1 The data connection was closed by the remote socket

    Tue Aug 12 17:14:24 2003 1 500 List command failed

    Tue Aug 12 17:15:01 2003 0 Connection timed out. Shutting down connection…

    Tue Aug 12 17:15:01 2003 0 Connection terminated.

    Tue Aug 12 17:16:05 2003 1 Connection timed out. Shutting down connection…

    Tue Aug 12 17:16:05 2003 1 Connection terminated.


    #30974
    imported_Serin
    Participant

    Hello,

    You mentioned that you have port 21 & 22 open on your router. FTP uses port 21 for the control connection and port 20 for the data connection. The reason the list command is failing is because the data connection cannot be properly established. If you are going to allow data connections to be established via the PORT command instead of PASV, you will need to make sure port 20 is open for outgoing connections.

    Assuming everything else is configured correctly, this should fix your problem.

    #30975
    Anonymous
    Participant

    Redirected also port 20 on router.

    The result is the same, the connection starts, but it is impossible to see files and directories and to go on.

    log:

    —-

    Wed Aug 13 16:22:01 2003 0 Incoming connection request on interface 192.168.0.3

    Wed Aug 13 16:22:01 2003 0 Connection request accepted from 80.23.152.41

    Wed Aug 13 16:22:01 2003 0 USER anonymous

    Wed Aug 13 16:22:01 2003 0 230 User anonymous logged in

    Wed Aug 13 16:22:01 2003 0 OPTS utf8 on

    Wed Aug 13 16:22:01 2003 0 502 Unrecognized or unsupported command

    Wed Aug 13 16:22:02 2003 0 SYST

    Wed Aug 13 16:22:02 2003 0 215 UNIX Type: L8

    Wed Aug 13 16:22:02 2003 0 SITE help

    Wed Aug 13 16:22:02 2003 0 502 No site commands are currently implimented

    Wed Aug 13 16:22:02 2003 0 PWD

    Wed Aug 13 16:22:02 2003 0 257 “/” is the current directory

    Wed Aug 13 16:22:02 2003 0 NOOP

    Wed Aug 13 16:22:02 2003 0 200 NOOP command received

    Wed Aug 13 16:22:03 2003 0 CWD /

    Wed Aug 13 16:22:03 2003 0 250 Change directory ok

    Wed Aug 13 16:22:03 2003 0 TYPE A

    Wed Aug 13 16:22:03 2003 0 200 Type ASCII

    Wed Aug 13 16:22:03 2003 0 PORT 80,23,152,41,82,76

    Wed Aug 13 16:22:03 2003 0 200 Port command received

    Wed Aug 13 16:22:03 2003 0 LIST

    Wed Aug 13 16:22:03 2003 0 Data connection established

    Wed Aug 13 16:22:03 2003 0 150 Opening data connection

    Wed Aug 13 16:22:04 2003 0 The data connection was closed by the remote socket

    Wed Aug 13 16:22:04 2003 0 500 List command failed

    Wed Aug 13 16:22:39 2003 0 NOOP

    Wed Aug 13 16:22:39 2003 0 200 NOOP command received

    Wed Aug 13 16:22:39 2003 0 CWD /Download/

    Wed Aug 13 16:22:39 2003 0 550 Path does not exist

    #30976
    imported_Serin
    Participant

    Have you tried to establish a connection with PASV mode? Lets take this one step at a time. Try having the ftp client establish a connection using PASV mode.

    In addition, I don’t see the normal “Unable to open the data connection” message that would normally appear when the ports are configured incorrectly. What is the error message from the ftp client?

    #30977
    Anonymous
    Participant

    No errors on client, yust closing connection.

    May be the PASV port incorrect in cerberus??

    I redirected on router for this computer only port 20 21 22 ( some other ports: 80 6667 are already redirected on another computer)

    The Cerberus configuration page shows range of ports 1040-3500 for PASV

    what it mean? that the router must redirect all those ports at disposition of Cerberus??

    in this case can I reduce range of ports for PASV up to one only or how many for minimum??

    #30978
    Anonymous
    Participant

    P.S. If i try to connect to the ftp server from the same computer through Dos

    ftp xxx.xxx.xxx.xxx after a while (abt 30 sec) I receive:

    FTP:connect:10071

    Is it normal or it means something for my problem?

    #30979
    mdj
    Participant

    I have a few comments on several postings, so hang on:

    fabzec Aug 13 3:36pm

    Just checking, you did notice, that port 20 should be open for OUTGOING connections? FTP creates a connection FROM port 20 (non-passive) to any given port on the client which must be configured correctly, if using a firewall (http://www.mdjnet.dk/ftp.html).

    fabzec Aug 18 12:20pm

    Yes, it means that the range 1040-3500 should be open/redirected for incoming connections! Yes, you can narrow it down, but my guess is, that you can never have more passive ftp client connections than you have ports, so don’t narrow it too much! Also, if other programs request one or more of these ports BEFORE Cerberus, it will probably appreciate it, if it has the chance to choose another one…

    fabzec Aug 18 12:30pm

    This COULD mean that your ftp server is only configured to accept connections on it’s outside ip address, while internal private ip addresses are not allowed. Do you have more than 1 ip address on the machine, one for the internet, one for the internal network? Do you have more than one interface on the righthand side of the Cerberus window? If so, make sure all are enabled.

    #30980
    Anonymous
    Participant

    1

    port 20 21 and 22 are redirected both directions and firewall enables any port for Cerberus

    2

    I need one only connection at a time so I’m trying to use and redirect one port only for PASV (port 5800). I shall try this way hoping this be the problem.

    3

    I have an internet Outside IP only and router and machines have their only lan address 192.168.0.1 2 3 and so on.

    Tks for yr attention

    #30981
    imported_Serin
    Participant

    You cannot reliably use only one port at a time for PASV. TCP/IP has a delay before any IP/port combination can be reused. The connection will fail if you attempt to reuse the same IP/port combination before a certain amount of time has elapsed(the time period can be several minutes).

    I would recommend opening up a range of at least several hundred ports. Several thousand if you expect many simultaneous connections.

    #30982
    Anonymous
    Participant

    You mean I have to allow range of ports in Cerberus configuration from 1040 to 3500 as default or to 5600 to 5900 for example?

    but the same redirection must be made in the router ? ( my router D-Link dsl500 in the configuration seems to allow only to redirect one port for each line and not all a range of thousand!!)

    #30983
    thechao
    Participant

    Server is on IP address A, static routing behind a Linksys firewall/router #1. Ports 20,21,80,1024-3500 are open to the server.

    Client(s) are on IP address B, dynamic routing behind a Linksys firewall/router #2. Ports 20,21,80,1024-3500 are open to the clients.

    I’m able to connect TO the server but not get a connection BACK from the server.

    Any ideas?

    Thanks,

    -j.

    #30984
    thechao
    Participant

    It was a firmware problem with the linksys. The specific router was the Linksys BEFW11S4 (EtherFast) which is the “Rev. 1” unit. Went to linksys, downloaded the firmware-upgrader and upgraded. Works just fine over ports 20 and 21 (no need for PASV).

    -j.

    #30985
    Anonymous
    Participant

    Now I was able to connect to the FTP server (adding in the address the name of one of the allowed directoryes i.e. ftp://xxx.xxx.xxx.xxx/documents)

    Then I see the content of the directory with all the items preceeded by 0.00, but if I try to download one of them this is unsuccessfull and the reply to client is that there are no permissions (the configuration of cerberus is ok for that directory), why?

    also:

    Is there a way to get the list of all the permitted paths as we only digit ftp://xxx.xxx.xxx.xxx/ ??

    this is the log I get in cerberus


    Mon Sep 01 12:23:10 2003 2 Incoming connection request on interface 192.168.0.3

    Mon Sep 01 12:23:10 2003 2 Connection request accepted from 80.23.152.41

    Mon Sep 01 12:23:10 2003 2 USER anonymous

    Mon Sep 01 12:23:10 2003 2 230 User anonymous logged in

    Mon Sep 01 12:23:10 2003 2 TYPE I

    Mon Sep 01 12:23:10 2003 2 200 Type Binary

    Mon Sep 01 12:23:11 2003 2 PASV

    Mon Sep 01 12:23:11 2003 2 421 Unable to create socket to listen on

    Mon Sep 01 12:23:11 2003 2 CWD /documents/00 00:00 Barcodes.zip

    Mon Sep 01 12:23:11 2003 2 550 Path does not exist

    Mon Sep 01 12:23:11 2003 2 The connection was closed by the remote socket.

    Mon Sep 01 12:23:11 2003 2 Connection terminated.

Viewing 13 posts - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.
Close Cart

Shopping Cart