why connection doesn't go on with LIST directories ?

This forum is for anyone experiencing problems related to their firewall settings. More specifically, anyone experiecing connection issues should take a look at this forum.
Post Reply
fabzec

why connection doesn't go on with LIST directories ?

Post by fabzec » Tue Aug 12, 2003 11:56 am

Hello, just installed Cerberus.
I have a router and the IP for PASV is the correct address of the router.
The ruter is NAT enabled, port 21&22 redirected on this computer, port 80 on other computer on the LAN.
The structure of virtual directory is composed, following the root /, by five folders located in two HDs.
The accesses are one for anonymous and one for user with PWD.

This is a log for two connections as I usually get,
Why the connection doesn't go on with the list of directories and allow to browse in them and the connection fails.
Thanks for your help.
-----

Tue Aug 12 17:11:28 2003 Vendor: GenuineIntel
Tue Aug 12 17:11:28 2003 CPU: Intel Celeron
Tue Aug 12 17:11:28 2003 Number of Processors: 1
Tue Aug 12 17:11:28 2003 Operating System: Microsoft Windows 98

Tue Aug 12 17:11:28 2003 Cerberus FTP Server started
Tue Aug 12 17:11:28 2003 Local Host: 192


Tue Aug 12 17:11:28 2003 Local Interface 0 located at 192.168.0.3
Tue Aug 12 17:11:28 2003 Listening on Port 21

Tue Aug 12 17:13:19 2003 0 Incoming connection request on interface 192.168.0.3
Tue Aug 12 17:13:19 2003 0 Connection request accepted from 80.23.152.41
Tue Aug 12 17:13:19 2003 0 USER anonymous
Tue Aug 12 17:13:19 2003 0 230 User anonymous logged in
Tue Aug 12 17:13:19 2003 0 OPTS utf8 on
Tue Aug 12 17:13:19 2003 0 502 Unrecognized or unsupported command
Tue Aug 12 17:13:19 2003 0 SYST
Tue Aug 12 17:13:19 2003 0 215 UNIX Type: L8
Tue Aug 12 17:13:19 2003 0 SITE help
Tue Aug 12 17:13:19 2003 0 502 No site commands are currently implimented
Tue Aug 12 17:13:20 2003 0 PWD
Tue Aug 12 17:13:20 2003 0 257 "/" is the current directory
Tue Aug 12 17:13:20 2003 0 NOOP
Tue Aug 12 17:13:20 2003 0 200 NOOP command received
Tue Aug 12 17:13:20 2003 0 CWD /
Tue Aug 12 17:13:20 2003 0 250 Change directory ok
Tue Aug 12 17:13:20 2003 0 TYPE A
Tue Aug 12 17:13:20 2003 0 200 Type ASCII
Tue Aug 12 17:13:21 2003 0 PORT 80,23,152,41,40,219
Tue Aug 12 17:13:21 2003 0 200 Port command received
Tue Aug 12 17:13:21 2003 0 LIST
Tue Aug 12 17:13:21 2003 0 Data connection established
Tue Aug 12 17:13:21 2003 0 150 Opening data connection
Tue Aug 12 17:13:21 2003 0 The data connection was closed by the remote socket
Tue Aug 12 17:13:21 2003 0 500 List command failed

Tue Aug 12 17:14:23 2003 1 Incoming connection request on interface 192.168.0.3
Tue Aug 12 17:14:23 2003 1 Connection request accepted from 80.23.152.41
Tue Aug 12 17:14:23 2003 1 USER fabri
Tue Aug 12 17:14:23 2003 1 331 User fab Ok, password please
Tue Aug 12 17:14:23 2003 1 PASS ***********
Tue Aug 12 17:14:23 2003 1 230 Password Ok, User logged in
Tue Aug 12 17:14:23 2003 1 OPTS utf8 on
Tue Aug 12 17:14:23 2003 1 502 Unrecognized or unsupported command
Tue Aug 12 17:14:23 2003 1 SYST
Tue Aug 12 17:14:23 2003 1 215 UNIX Type: L8
Tue Aug 12 17:14:23 2003 1 SITE help
Tue Aug 12 17:14:23 2003 1 502 No site commands are currently implimented
Tue Aug 12 17:14:24 2003 1 PWD
Tue Aug 12 17:14:24 2003 1 257 "/" is the current directory
Tue Aug 12 17:14:24 2003 1 TYPE A
Tue Aug 12 17:14:24 2003 1 200 Type ASCII
Tue Aug 12 17:14:24 2003 1 PORT 80,23,152,41,40,225
Tue Aug 12 17:14:24 2003 1 200 Port command received
Tue Aug 12 17:14:24 2003 1 LIST
Tue Aug 12 17:14:24 2003 1 Data connection established
Tue Aug 12 17:14:24 2003 1 150 Opening data connection
Tue Aug 12 17:14:24 2003 1 The data connection was closed by the remote socket
Tue Aug 12 17:14:24 2003 1 500 List command failed

Tue Aug 12 17:15:01 2003 0 Connection timed out. Shutting down connection...
Tue Aug 12 17:15:01 2003 0 Connection terminated.

Tue Aug 12 17:16:05 2003 1 Connection timed out. Shutting down connection...
Tue Aug 12 17:16:05 2003 1 Connection terminated.

------------------

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Tue Aug 12, 2003 1:07 pm

Hello,

You mentioned that you have port 21 & 22 open on your router. FTP uses port 21 for the control connection and port 20 for the data connection. The reason the list command is failing is because the data connection cannot be properly established. If you are going to allow data connections to be established via the PORT command instead of PASV, you will need to make sure port 20 is open for outgoing connections.

Assuming everything else is configured correctly, this should fix your problem.

fabzec

Post by fabzec » Wed Aug 13, 2003 10:36 am

Redirected also port 20 on router.
The result is the same, the connection starts, but it is impossible to see files and directories and to go on.
---
log:
----
Wed Aug 13 16:22:01 2003 0 Incoming connection request on interface 192.168.0.3
Wed Aug 13 16:22:01 2003 0 Connection request accepted from 80.23.152.41
Wed Aug 13 16:22:01 2003 0 USER anonymous
Wed Aug 13 16:22:01 2003 0 230 User anonymous logged in
Wed Aug 13 16:22:01 2003 0 OPTS utf8 on
Wed Aug 13 16:22:01 2003 0 502 Unrecognized or unsupported command
Wed Aug 13 16:22:02 2003 0 SYST
Wed Aug 13 16:22:02 2003 0 215 UNIX Type: L8
Wed Aug 13 16:22:02 2003 0 SITE help
Wed Aug 13 16:22:02 2003 0 502 No site commands are currently implimented
Wed Aug 13 16:22:02 2003 0 PWD
Wed Aug 13 16:22:02 2003 0 257 "/" is the current directory
Wed Aug 13 16:22:02 2003 0 NOOP
Wed Aug 13 16:22:02 2003 0 200 NOOP command received
Wed Aug 13 16:22:03 2003 0 CWD /
Wed Aug 13 16:22:03 2003 0 250 Change directory ok
Wed Aug 13 16:22:03 2003 0 TYPE A
Wed Aug 13 16:22:03 2003 0 200 Type ASCII
Wed Aug 13 16:22:03 2003 0 PORT 80,23,152,41,82,76
Wed Aug 13 16:22:03 2003 0 200 Port command received
Wed Aug 13 16:22:03 2003 0 LIST
Wed Aug 13 16:22:03 2003 0 Data connection established
Wed Aug 13 16:22:03 2003 0 150 Opening data connection
Wed Aug 13 16:22:04 2003 0 The data connection was closed by the remote socket
Wed Aug 13 16:22:04 2003 0 500 List command failed
Wed Aug 13 16:22:39 2003 0 NOOP
Wed Aug 13 16:22:39 2003 0 200 NOOP command received
Wed Aug 13 16:22:39 2003 0 CWD /Download/
Wed Aug 13 16:22:39 2003 0 550 Path does not exist

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Wed Aug 13, 2003 12:32 pm

Have you tried to establish a connection with PASV mode? Lets take this one step at a time. Try having the ftp client establish a connection using PASV mode.

In addition, I don't see the normal "Unable to open the data connection" message that would normally appear when the ports are configured incorrectly. What is the error message from the ftp client?

fabzec

Post by fabzec » Mon Aug 18, 2003 7:20 am

No errors on client, yust closing connection.

May be the PASV port incorrect in cerberus??
I redirected on router for this computer only port 20 21 22 ( some other ports: 80 6667 are already redirected on another computer)
The Cerberus configuration page shows range of ports 1040-3500 for PASV
what it mean? that the router must redirect all those ports at disposition of Cerberus??
in this case can I reduce range of ports for PASV up to one only or how many for minimum??

fabzec

Post by fabzec » Mon Aug 18, 2003 7:30 am

P.S. If i try to connect to the ftp server from the same computer through Dos
ftp xxx.xxx.xxx.xxx after a while (abt 30 sec) I receive:
FTP:connect:10071

Is it normal or it means something for my problem?

mdj
Moderator
Posts: 656
Joined: Mon Aug 18, 2003 4:00 am
Location: Denmark
Contact:

Post by mdj » Mon Aug 18, 2003 9:14 am

I have a few comments on several postings, so hang on:

fabzec Aug 13 3:36pm
Just checking, you did notice, that port 20 should be open for OUTGOING connections? FTP creates a connection FROM port 20 (non-passive) to any given port on the client which must be configured correctly, if using a firewall (www.mdjnet.dk/ftp.html).

fabzec Aug 18 12:20pm
Yes, it means that the range 1040-3500 should be open/redirected for incoming connections! Yes, you can narrow it down, but my guess is, that you can never have more passive ftp client connections than you have ports, so don't narrow it too much! Also, if other programs request one or more of these ports BEFORE Cerberus, it will probably appreciate it, if it has the chance to choose another one...

fabzec Aug 18 12:30pm
This COULD mean that your ftp server is only configured to accept connections on it's outside ip address, while internal private ip addresses are not allowed. Do you have more than 1 ip address on the machine, one for the internet, one for the internal network? Do you have more than one interface on the righthand side of the Cerberus window? If so, make sure all are enabled.
Morten Due Jørgensen
http://www.mdjnet.dk

fabzec

Post by fabzec » Mon Aug 18, 2003 6:12 pm

1
port 20 21 and 22 are redirected both directions and firewall enables any port for Cerberus
2
I need one only connection at a time so I'm trying to use and redirect one port only for PASV (port 5800). I shall try this way hoping this be the problem.
3
I have an internet Outside IP only and router and machines have their only lan address 192.168.0.1 2 3 and so on.

Tks for yr attention

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Mon Aug 18, 2003 6:59 pm

You cannot reliably use only one port at a time for PASV. TCP/IP has a delay before any IP/port combination can be reused. The connection will fail if you attempt to reuse the same IP/port combination before a certain amount of time has elapsed(the time period can be several minutes).

I would recommend opening up a range of at least several hundred ports. Several thousand if you expect many simultaneous connections.

fabzec

Post by fabzec » Tue Aug 19, 2003 5:17 am

You mean I have to allow range of ports in Cerberus configuration from 1040 to 3500 as default or to 5600 to 5900 for example?
but the same redirection must be made in the router ? ( my router D-Link dsl500 in the configuration seems to allow only to redirect one port for each line and not all a range of thousand!!)

thechao
Posts: 2
Joined: Thu Aug 21, 2003 11:26 am

Same Problem

Post by thechao » Thu Aug 21, 2003 11:55 am

Server is on IP address A, static routing behind a Linksys firewall/router #1. Ports 20,21,80,1024-3500 are open to the server.

Client(s) are on IP address B, dynamic routing behind a Linksys firewall/router #2. Ports 20,21,80,1024-3500 are open to the clients.

I'm able to connect TO the server but not get a connection BACK from the server.

Any ideas?

Thanks,
-j.

thechao
Posts: 2
Joined: Thu Aug 21, 2003 11:26 am

Solved.

Post by thechao » Thu Aug 21, 2003 12:42 pm

It was a firmware problem with the linksys. The specific router was the Linksys BEFW11S4 (EtherFast) which is the "Rev. 1" unit. Went to linksys, downloaded the firmware-upgrader and upgraded. Works just fine over ports 20 and 21 (no need for PASV).

-j.

fabzec

Post by fabzec » Wed Sep 03, 2003 7:03 am

Now I was able to connect to the FTP server (adding in the address the name of one of the allowed directoryes i.e. ftp://xxx.xxx.xxx.xxx/documents)
Then I see the content of the directory with all the items preceeded by 0.00, but if I try to download one of them this is unsuccessfull and the reply to client is that there are no permissions (the configuration of cerberus is ok for that directory), why?

also:
Is there a way to get the list of all the permitted paths as we only digit ftp://xxx.xxx.xxx.xxx/ ??


this is the log I get in cerberus
--------------
Mon Sep 01 12:23:10 2003 2 Incoming connection request on interface 192.168.0.3
Mon Sep 01 12:23:10 2003 2 Connection request accepted from 80.23.152.41
Mon Sep 01 12:23:10 2003 2 USER anonymous
Mon Sep 01 12:23:10 2003 2 230 User anonymous logged in
Mon Sep 01 12:23:10 2003 2 TYPE I
Mon Sep 01 12:23:10 2003 2 200 Type Binary
Mon Sep 01 12:23:11 2003 2 PASV
Mon Sep 01 12:23:11 2003 2 421 Unable to create socket to listen on
Mon Sep 01 12:23:11 2003 2 CWD /documents/00 00:00 Barcodes.zip
Mon Sep 01 12:23:11 2003 2 550 Path does not exist
Mon Sep 01 12:23:11 2003 2 The connection was closed by the remote socket.
Mon Sep 01 12:23:11 2003 2 Connection terminated.

Post Reply