ftplib problems with firewall

David Bolen db3l at fitlinxx.com
Tue Aug 1 19:54:25 EDT 2000 

"lance <lance_99_99@" <"no_spam>yahoo.com"> writes:

> Alright, I made a tcpdump for both the FTP client and ftplib.

Ah - I think I see.  I could be sure if your FTP client supports a
"debug" form that dumps the commands it issues, but if I had to bet,
I'd say that it was using "passive" mode by default, which I had
overlooked (oops).  I wasn't aware of clients that defaulted this way
but perhaps with the proliferation of firewalls and what not, some do.
But I should have thought of it as a possibility, since even with
older clients, you can enable passive mode from the command prompt.

In passive mode, rather than sending a PORT command from the client to
the server that specifies a port on the client that the server should
connect to for data connections, the client sends a PASV command, to
which the server responds with port information that it will listen
on.  It then waits for a connection for any transfer command rather
than itself making an active connection.  Although I believe
originally designed to enable support for one user agent to initiate a
direct transfer between two FTP servers, it can also work to let the
client still be the source of the connection for data transfers.

Of course, in general, passive connections still potentially cause
problems for filters since it means you have to permit arbitrary
connections from an internal host on any port to an arbitrary external
host on any port (e.g., anything originating from the inside), which
might not work for centralized firewalls, but for a personal setup
like yours where you already permit any outbound traffic, it should be
fine.

> Do you still think, after seeing the tcpdumps, that the regular FTP
> shouldn't work either? Or is ftplib doing something different?

Well, a "regular" FTP transfer still shouldn't work with your setup
(where my old time brain thinks of regular as the active connection
approach) but clearly passive mode does - who am I to argue with
success, but it also makes sense given your filters.

It looks like ftplib supports a "set_pasv" method - so how about
giving a shot at "set_pasv(1)" just after connecting and see what
happens.

--
-- David
-- 
/-----------------------------------------------------------------------\
 \               David Bolen            \   E-mail: db3l at fitlinxx.com  /
  |             FitLinxx, Inc.            \  Phone: (203) 708-5192    |
 /  860 Canal Street, Stamford, CT  06902   \  Fax: (203) 316-5150     \
\-----------------------------------------------------------------------/

More information about the Python-list mailing list