ftplib problems with firewall

David Bolen db3l at fitlinxx.com
Tue Aug 1 16:30:07 EDT 2000 

"lance <lance_99_99@" <"no_spam>yahoo.com"> writes:

> when i use the ftplib to retrieve a directory listing or retrieve a
> file, my firewall (IP Filter under OpenBSD) blocks this; i can login or
> change the directory
> 
> i find this very strange as i can use the regular FTP command, or any
> other program which uses TCP

Can you actually transfer a file with a normal FTP client?  FTP is
different than a straight TCP connection (it actually uses two TCP
connections, one for control, and one dynamically formed for data
transfer).

> this rule (using packet state) should let me use any program that uses
> TCP or UDP:
> 
> pass out on <my NIC> proto tcp/udp from <my machine> to any keep state

Ah, this is where the FTP protocol gets ugly for firewalls.  The
outbound TCP connection for FTP is only the control connection.
Whenever actual data is transferred (which includes a directory
listing and not just file transfers), what actually happens is that
the FTP client sends across port and address information and the FTP
server turns around and makes a connection _formed from server to
client_ to the address/port that it was given.

The inbound connection attempt will be coming from the FTP server port
on the remote host (21) but will be targetted at any random port on
your own machine, since its the client port that answers.
Unfortunately, that's a reasonably big hole in a non-stateful IP-based
firewall, but them's the breaks.

> any help is greatly appreciated as i'd rather not change my firewall
> configuration just for ftplib

I'm a bit surprised that you can use a normal client for FTP transfers
through your firewall configuration, and not ftplib.  They'll both
require special entries in the firewall, but whatever works for one
should really work for both.

--
-- David
-- 
/-----------------------------------------------------------------------\
 \               David Bolen            \   E-mail: db3l at fitlinxx.com  /
  |             FitLinxx, Inc.            \  Phone: (203) 708-5192    |
 /  860 Canal Street, Stamford, CT  06902   \  Fax: (203) 316-5150     \
\-----------------------------------------------------------------------/

More information about the Python-list mailing list