Topic: FTP Frustrations

[gsownsby]

I'm still trying to ftp into my sme box from on the Internet.  My ftp log files says:

Status:   Connecting to ftp.mydomainname.com ...
Status:   Connected with ftp.mydomainname.com. Waiting for welcome message...
Response:   220 mickey.mydomainname.com FTP server ready
Command:   USER anonymous
Response:   331 Anonymous login ok, send your complete email address as your password.
Command:   PASS *****
Response:   230 Anonymous access granted, restrictions apply.
Command:   FEAT
Response:   211-Features:
Response:    MDTM
Response:    REST STREAM
Response:    SIZE
Response:   211 End
Command:   SYST
Response:   215 UNIX Type: L8
Status:   Connected
Status:   Retrieving directory listing...
Command:   PWD
Response:   257 "/" is current directory.
Command:   TYPE A
Response:   200 Type set to A
Command:   PASV
Response:   227 Entering Passive Mode (192,168,1,4,128,164).
Command:   LIST

Then it just sits there and does nothing.  The List command seems to throw SME for a loop so to speak.  What am I doing wrong?  Frazzeled...

[Janm]

Go to server-manager
Remote access and there you have it
Secure Shell Settings
You can control Secure Shell access to your server. The public setting should only be enabled by experienced administrators for remote problem diagnosis and resolution. We recommend leaving this parameter set to "No Access" unless you have a specific reason to do otherwise.
Secure shell access    

Allow administrative command line access over secure shell    

Allow secure shell access using standard passwords    

________________________________________
FTP Settings
You can also control FTP access to your server. We recommend leaving this parameter set to 'no access' unless you have a specific reason to do otherwise.
Note: these settings limit access to the server and override other settings, including those for individual information bays.
FTP access   

You can also control authenticated FTP access to information bays and user accounts. We strongly recommend leaving this parameter set to private unless you have a specific reason to do otherwise.
Note: a secure shell sftp client can also be used to access the server, if remote access via the secure shell is enabled. This method of access protects the passwords and data of the FTP session, whereas standard FTP provides no protection.
FTP password access   


Jan

[arne]

For me this sounds more like a firewall trawersel thing. Is there a firewall or a nat router or something like that between those PC's ?

"Command: PASV"
"Response: 227 Entering Passive Mode (192,168,1,4,128,164).
"Command: LIST"

Sounds like all logon works OK and when it enter "passive mode" for file transfer it just hangs.

The other alternative use to be "active mode" which will involve a complete other trafic pattern.

By the way the "active mode" were the original ftp comunication standard and the "passive mode" were the modified standard to make traversal trough firewall more easy. Some times it actually works the other way.

Quite often it is possible to configure the ftp client whether to use "active mode" or "passive mode". Such a change could make it work.

One other alternative is to forward both port 20 and 21 if you (the sme server) are behind a nat router or something like that.

I think MS Explorer is one of the FTP clients were you can have the choice between avtive mode and passive mode (Tools-Internet options-Advanced.)

Best reg Arne.

[arne]

http://slacksite.com/other/ftp.html

[gsownsby]

Jan,

All the settings are as you describe but still no luck.  Thank you.

Gary

[gsownsby]

Arne,

A bit of background...I have a separate box running BulletProof FTP Server.  Yes, I have a NAT router as the entry point/gateway to my home network.

Ordinarily, the NAT router (Linksys) is set to forward port 21 to 192.168.1.9 (the BulletProof FTP Server box).  Everything works fine.  Port 20 is not forwarded at all when using the BulletProof server.  Everything works.  I can access that server from the Internet or from within my local network.

When I installed SME Server on another box, I can FTP to it from within my local network but not from the Internet despite all the settings changes previously discussed.  I can FTP using any ID or anonymously from within my local network.  Passive or active state doesn't make any difference.  Everything works when you FTP from within the local network.

As you suggested, I forwarded ports 20 & 21 to 192.168.1.9 (SME box) and tried passive and active connections from my FTP client (WS_FTP) but everything still stops when the LIST command is issued.  I've tried using the ADMIN and a non-Admin user ID/password...all seem to get through the firewall fine and login seems to proceed but the LIST thing seems to hang the SME FTP process.

As you mentioned, I was already thinking that the traversal thing might be a culprit but why would one FTP box work fine but SME not?  Geeee....

Thanks for your thoughts on this.  The fact I can FTP from within my local network but not from the Internet despite a triple-check of the Remote Access settings makes me thing SME is not really changing external access even though the screen representation says it is.

It still sounds like a traversal issue to me but where to go next??

UPDATE:  Perhaps a clue...could the SME FTP port range for passive transfers be different than the firewall port settings??  I can cause the BulletProof Server to hang on LIST too by turning off the port ranges for passive transfers.

[Reinhold]

gsownsby,

Give us some data:
- Your SME is gateway and server ?
- What is the FTP Client you are using "from the internet" ?
- (if you did something besides standard SME, like install a ftp- or ssh-contrib)...show us the content of /etc/proftpd.conf

Regards
Reinhold

Addition: Ok you posted an update minutes before I sent this... and we learned you use ws_ftp. Please confirm that you did use

• Passive Mode[/b] in Session Properties / Advanced

[gsownsby]

Reinhold,

I'd be happy to provide all the clues I can:

Linksys router is gateway and NAT firewall.

WS_FTP is external client FTP client software.

SME is plain out of the box...no additions at all.

Can't get to /etc/proftpd.conf.  Yeah, I know but ALT+F2 doesn't get me to command line to go anywhere.  I've asked about that too in this forum.

See comprehensive write-up back to Arne above.

Thank you.

[Reinhold]

gsownsby,

Let me cite part of the slacksite info arne gave you:
While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side.
The biggest issue is the need to allow any remote connection to high numbered ports on the server.
Since you do not allow SME, and it's ftp server daemon proftpd, to handle this directly
- you put your own linksys router in between -
those "return ports" are obviously not open
...and you surely didn't forward all "any"

You will find the same information on the proftpd site:
http://www.proftpd.de/Active-Passive_Dokumentation.35.0.html
and more on our problem here:
http://www.proftpd.org/localsite/Userguide/linked/config_ref_PassivePorts.html

EASIEST solution however is what charly told you in the other thread ...
remove Linksys and let SME "do it's thing".
- SURE WORKS -
Off the cuff I couldn't tell you why Bullet-Proof does handle the situation ... except that the underlying windows machine must be "very open" to allow this to work! ... which you sort of prove when you "close" Bullet-Proof and it fails!

"ALT-F2" should get you to the commandline (could not find _that_ thread .-) but why not use putty from your (windows) workstation (remember to ssh in)...
Easier to copy and paste into your browser too

- Which SME version ?
- How many NICs ?
- Server only mode ?
- /etc/proftpd.conf   ...via putty/ssh

Regards
Reinhold

(note: it doesn't help if you open 2 or more threads  
There _was/is_ quite some info in the other thread incl. "an answer"-solution from charly brady).

[Reinhold]

gsownsby,

Also this may be all too well hidden for a starter...
SME 6 Manual

...click NEXT on top-right
11.1.3. FTP

Regards
Reinhold

[gsownsby]

Well, just for kicks has anyone in this forum successfully used an external firewall/router with SME with FTP?

[Reinhold]

/me

Regards
Reinhold

[arne]

I have two sme servers behind two different nat routers.

a. In my home behind a Netopia nat router.
b. In my friends home behind a Topcom nat router.

The sme servers are both 6.0.1 set up as "server only" but with a firewall configuration.

Have never had any problem with ftp access, exept that I think it is only the admin adount that really work for the ftp connection (??).

By the way I use mostly WinSCP for system maintenance and file transfer and not so often ftp any more.