Discussion:
Active mode FTP over PPP
(too old to reply)
logger
2007-05-08 11:16:53 UTC
Permalink
Hi. I wonder if somebody could shed some light on a problem I'm having
with "Active mode" FTP over a serial PPP link.

Some background:
I'm running a SuSE Enterprise 9 server (Server "A") with pppd version
2.4.2 installed along with Mgetty v1.1.30-288 and pure-ftp v1.0.18.
There is no firewall running.

I have three servers, which I'll call A (as mentioned above), B & C.
All have an ethernet interface each and are on the same subnet. Server
"A" has a number of modems installed all of which work just fine and
can handle local (i.e just to itself and not involving "B" or "C")
active and passive modes of FTP over the PPP link that get established
from the calling Linux or Windows clients.

All machines can see each other and I can FTP using active and passive
modes between all three over the ethernet connections with no problems
whatsover.

I can do "passive" mode Ftp's from my "client" over the Dial-Up PPP
interfaces on server "A" to server "A", "B" and "C" just fine.

The problem:
Arises when "client" dials the PPP link to machine "A" it can't do an
"active mode" FTP to machines "B" or "C" it just bombs with errors
listed in the output below . I can do an "active mode" Ftp from
"client" to machine "A" without any problem.

It smells like a problem with PPP but why would PPP be causing this
problem - why should it care about active or passive

FTP's.

Please see error output below. I'll be happy to supply any more info
should anybody require it.


thanks for reading, chris


Error message generated when trying to "ls" on connection to Server
"B" :-

500 Illegal PORT rejected (address wrong).
425 Can't build data connection: Connection refused.
ftp> ls
425 Can't build data connection: Connection refused.
ftp>


Error message generated when trying to "ls" on connection to Server
"C" :-

200-FXP transfer: from 192.168.100.26 to 192.168.150.8
200 PORT command successful
425 Could not open data connection to port 3720: Co
Pascal Hambourg
2007-05-08 22:50:22 UTC
Permalink
Hello,
Post by logger
Arises when "client" dials the PPP link to machine "A" it can't do an
"active mode" FTP to machines "B" or "C" it just bombs with errors
listed in the output below . I can do an "active mode" Ftp from
"client" to machine "A" without any problem.
It smells like a problem with PPP but why would PPP be causing this
problem - why should it care about active or passive FTP's.
It should not care. And I strongly doubt it does.
Doesn't server "A" do SNAT or MASQUERADE on its ethernet interface ?
If yes (why ?), you need to modprobe the connection tracking and NAT
modules for FTP, called ip_conntrack_ftp and ip_nat_ftp or nf_conntrack
and nf_nat_ftp.
Moe Trin
2007-05-09 00:38:55 UTC
Permalink
On 8 May 2007, in the Usenet newsgroup alt.os.linux, in article
<***@y80g2000hsf.googlegroups.com> amf in the
Usenet newsgroup comp.protocols.ppp, in article
<***@h2g2000hsg.googlegroups.com>. logger wrote:

[Please don't post the same article to multiple newsgroups. If you
must, set the newsgroup header to a comma separated list, and set
a 'Followup-To:' header as I have done here.]
Post by logger
I wonder if somebody could shed some light on a problem I'm having
with "Active mode" FTP over a serial PPP link.
Doesn't sound like a ppp problem - routing or firewall perhaps. You
need to use a packet sniffer and look at the exchanges when the active
mode transfer is being set up.
Post by logger
I have three servers, which I'll call A (as mentioned above), B & C.
All have an ethernet interface each and are on the same subnet. Server
"A" has a number of modems installed all of which work just fine and
can handle local (i.e just to itself and not involving "B" or "C")
active and passive modes of FTP over the PPP link that get established
from the calling Linux or Windows clients.
This _implies_ that ppp and routing is set OK. What addresses are you
using on the Ethernet, and on the client? Same subnet? Are you using
'proxy-arp on the dialin server?
Post by logger
Arises when "client" dials the PPP link to machine "A" it can't do an
"active mode" FTP to machines "B" or "C" it just bombs with errors
listed in the output below . I can do an "active mode" Ftp from
"client" to machine "A" without any problem.
Set up your favorite packet sniffer on the dialin server, and run a
packet capture of a FTP to server A (on the ppp0 side, which you say
works). Then repeat the process using sever B or C. What is different
about the active mode setup? You may need to monitor the eth0 side
of the dialin server if the ppp0 side doesn't show everything. Please
don't post the packet dumps - what you are looking for is a difference
in how the second (data) channel is being set up. Something is blocking
that - and normally that would be a packet filter, or incorrectly
configured NAT (masquerade) server.
Post by logger
It smells like a problem with PPP but why would PPP be causing this
problem - why should it care about active or passive
What makes you think ppp is the cause? The difference between passive
and active FTP is that in passive mode, all data and control information
use a single port pair - ephemeral (above 1025) on the client, to/from
21 on the server. In active mode, two port pairs are used, ephemeral
(above 1025) on the client, to/from 21 on the server for the control,
and a different ephemeral on the client, to/from 20 on the server for
the data. It sounds as if something is not allowing the second pair
to establish a connection. Why? Like I say, that's normally a firewall
or NAT (Network Address Translation - call it IP-Masquerade) problem.

Old guy
Clifford Kite
2007-05-09 20:25:01 UTC
Permalink
Post by logger
Hi. I wonder if somebody could shed some light on a problem I'm having
with "Active mode" FTP over a serial PPP link.
I'm running a SuSE Enterprise 9 server (Server "A") with pppd version
2.4.2 installed along with Mgetty v1.1.30-288 and pure-ftp v1.0.18.
There is no firewall running.
I have three servers, which I'll call A (as mentioned above), B & C.
All have an ethernet interface each and are on the same subnet. Server
"A" has a number of modems installed all of which work just fine and
can handle local (i.e just to itself and not involving "B" or "C")
active and passive modes of FTP over the PPP link that get established
from the calling Linux or Windows clients.
All machines can see each other and I can FTP using active and passive
modes between all three over the ethernet connections with no problems
whatsover.
I can do "passive" mode Ftp's from my "client" over the Dial-Up PPP
interfaces on server "A" to server "A", "B" and "C" just fine.
Arises when "client" dials the PPP link to machine "A" it can't do an
"active mode" FTP to machines "B" or "C" it just bombs with errors
listed in the output below . I can do an "active mode" Ftp from
"client" to machine "A" without any problem.
It smells like a problem with PPP but why would PPP be causing this
problem - why should it care about active or passive
Does the IP address assigned to the client belong to the LAN of the
three machines?
Post by logger
FTP's.
Please see error output below. I'll be happy to supply any more info
should anybody require it.
thanks for reading, chris
Error message generated when trying to "ls" on connection to Server
"B" :-
500 Illegal PORT rejected (address wrong).
425 Can't build data connection: Connection refused.
ftp> ls
425 Can't build data connection: Connection refused.
ftp>
Error message generated when trying to "ls" on connection to Server
"C" :-
200-FXP transfer: from 192.168.100.26 to 192.168.150.8
It's possible that the CIDR subnet for the LAN of A, B, and C could
include both these addresses but it seems unlikely.
Post by logger
200 PORT command successful
425 Could not open data connection to port 3720: Co
The differences in log messages are probably due to different FTP server
daemons and/or configuration thereof. Both balk at opening the data
connection.

I'd try looking at the FTP access configuration on both B and C for
something related to the client IP address and access mode that might
cause the problem(s).
--
Clifford Kite
/* "PPPoE has many advantages for DSL service providers, and
practically none for DSL consumers."
- David F. Skoll */
logger
2007-05-10 10:45:33 UTC
Permalink
Post by Clifford Kite
Post by logger
Hi. I wonder if somebody could shed some light on a problem I'm having
with "Active mode" FTP over a serial PPP link.
I'm running a SuSE Enterprise 9 server (Server "A") with pppd version
2.4.2 installed along with Mgetty v1.1.30-288 and pure-ftp v1.0.18.
There is no firewall running.
I have three servers, which I'll call A (as mentioned above), B & C.
All have an ethernet interface each and are on the same subnet. Server
"A" has a number of modems installed all of which work just fine and
can handle local (i.e just to itself and not involving "B" or "C")
active and passive modes of FTP over the PPP link that get established
from the calling Linux or Windows clients.
All machines can see each other and I can FTP using active and passive
modes between all three over the ethernet connections with no problems
whatsover.
I can do "passive" mode Ftp's from my "client" over the Dial-Up PPP
interfaces on server "A" to server "A", "B" and "C" just fine.
Arises when "client" dials the PPP link to machine "A" it can't do an
"active mode" FTP to machines "B" or "C" it just bombs with errors
listed in the output below . I can do an "active mode" Ftp from
"client" to machine "A" without any problem.
It smells like a problem with PPP but why would PPP be causing this
problem - why should it care about active or passive
Does the IP address assigned to the client belong to the LAN of the
three machines?
Post by logger
FTP's.
Please see error output below. I'll be happy to supply any more info
should anybody require it.
thanks for reading, chris
Error message generated when trying to "ls" on connection to Server
"B" :-
500 Illegal PORT rejected (address wrong).
425 Can't build data connection: Connection refused.
ftp> ls
425 Can't build data connection: Connection refused.
ftp>
Error message generated when trying to "ls" on connection to Server
"C" :-
200-FXP transfer: from 192.168.100.26 to 192.168.150.8
It's possible that the CIDR subnet for the LAN of A, B, and C could
include both these addresses but it seems unlikely.
Post by logger
200 PORT command successful
425 Could not open data connection to port 3720: Co
The differences in log messages are probably due to different FTP server
daemons and/or configuration thereof. Both balk at opening the data
connection.
I'd try looking at the FTP access configuration on both B and C for
something related to the client IP address and access mode that might
cause the problem(s).
--
Clifford Kite
/* "PPPoE has many advantages for DSL service providers, and
practically none for DSL consumers."
- David F. Skoll */
Hi Clifford. Thanks for your response.

Should you be interested, this is continuing in alt.os.linux area -
saves cluttering up multiple groups!



chris

Loading...