Re: ftp passive modem is on by defaut?
> shin> The 1st trial seems to be rejected at, > shin> 500 Illegal PORT range rejected. > shin> and 2nd trial seems to be accepted at, > shin> 200 pcmd command successful. > > This problem was reported at [FreeBSD-users-jp 46521]. It is > Japanese FreeBSD mailing list. > In my experience, EPRT didn't fail in such case. I didn't > understand what you say. At last, I understand it. It's my > misunderstanding of my test environment. > I used NetBSD-current for FTP server. FreeBSD version of ftpd > checks the validity of PORT request for security reson by default. > EPRT request via NAT box is rejected by this check. But, NetBSD's > ftpd need `checkportcmd' options to behave as FreeBSD does, and I > didn't specified it. I think `ftpd -R' causes same situation. OK, I realized it and actually confirmed that EPRT cause problem via NAT when ftpd is execed with -R option. > shin> The connection hanged at > shin> 229 Entering Extended Passive Mode (|||1044|) > shin> for a while, so I aborted it. > > This is something strange. I still cannot understand why it > occures. It seems libalias does no additional thing for PASV. So, I > think, if EPSV isn't NAT friendly, PASV would also fail. Sorry this is my firewall setting mistake and PASV also failed. After I fixed the configuration, both EPSV and PASV was OK. I'll just change ftp command to use PORT command for IPv4. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
On Sun, 6 Feb 2000, Jordan K. Hubbard wrote: > Having passive mode on by default *across the board* is truly the > right thing to do in this day in age and there's no reason not to > default to it now. We've received too many tech support emails (and > phone calls) from people with firewalls who were confused with the > previous default. Although it is silly that thge system default natd doesn't support using the system default ftp settings. :-/ Doug White| FreeBSD: The Power to Serve [EMAIL PROTECTED] | www.FreeBSD.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
Having passive mode on by default *across the board* is truly the right thing to do in this day in age and there's no reason not to default to it now. We've received too many tech support emails (and phone calls) from people with firewalls who were confused with the previous default. - Jordan To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
Hi, >>> Mon, 07 Feb 2000 00:24:09 +0900 の刻に「shin」、すなわち >>> Yoshinobu Inoue <[EMAIL PROTECTED]> 氏曰く shin> In non passive case, . . . shin> The 1st trial seems to be rejected at, shin> 500 Illegal PORT range rejected. shin> and 2nd trial seems to be accepted at, shin> 200 pcmd command successful. This problem was reported at [FreeBSD-users-jp 46521]. It is Japanese FreeBSD mailing list. In my experience, EPRT didn't fail in such case. I didn't understand what you say. At last, I understand it. It's my misunderstanding of my test environment. I used NetBSD-current for FTP server. FreeBSD version of ftpd checks the validity of PORT request for security reson by default. EPRT request via NAT box is rejected by this check. But, NetBSD's ftpd need `checkportcmd' options to behave as FreeBSD does, and I didn't specified it. I think `ftpd -R' causes same situation. shin> And then I tried passive mode. ftp> passive shin> Passive mode on. ftp> dir shin> 229 Entering Extended Passive Mode (|||1044|) shin> ^C shin> receive aborted shin> waiting for remote to finish abort. shin> The connection hanged at shin> 229 Entering Extended Passive Mode (|||1044|) shin> for a while, so I aborted it. This is something strange. I still cannot understand why it occures. It seems libalias does no additional thing for PASV. So, I think, if EPSV isn't NAT friendly, PASV would also fail. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.imasy.org/~ume/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
> shin> (About EPRT, initiating client retry PORT command next if EPRT > shin> failes, so trying EPRT first will be OK.) > No. In this senario, if server knows EPRT, EPRT request will be > accepted, and will not fail. But, existing NAT box doesn't handle > EPRT request. So, NAT box cannot treat data connetion as if it treat > for PORT. Then, data connection request from server will not reach to > client. > shin> As RFC2428(FTP Extensions for IPv6 and NATs), EPSV can be used > shin> for IPv4 and IPv6 and it has performance benefit for firewall > shin> and NAT, because it doesn't include an IP address in its > shin> command, so firewall and NAT doesn't need to translate them. > No problem will occur with EPSV on even if IPv4. If server doesn't > know EPRT, client will try PASV next. There seems to be also some problem in the reverse case. I actually tested in the following environment. (I should have checked it more earlier on the first place.) My home router remote current 3.3 current /usr/bin/ftp/usr/sbin/ppp -nat /usr/libexec/ftpd In non passive case, ftp> dir 500 Illegal PORT range rejected. 200 pcmd command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 4 dr-xr-xr-x 2 root operator 512 Jan 2 14:50 bin dr-xr-xr-x 2 root operator 512 Jan 2 14:50 etc drwxrwxrwt 2 root operator 512 Jan 2 14:50 incoming drwxr-xr-x 2 root operator 1024 Feb 4 12:54 pub 226 Transfer complete. The 1st trial seems to be rejected at, 500 Illegal PORT range rejected. and 2nd trial seems to be accepted at, 200 pcmd command successful. And then I tried passive mode. ftp> passive Passive mode on. ftp> dir 229 Entering Extended Passive Mode (|||1044|) ^C receive aborted waiting for remote to finish abort. The connection hanged at 229 Entering Extended Passive Mode (|||1044|) for a while, so I aborted it. > shin> So if no other better suggestion, I think I'll get permission > shin> to fix 4.0 ftp client to try EPSV only for IPv6. > > EPSV is NAT frendly. I think disabling EPRT on IPv4 is better for a > while. I now feel disabling either of EPSV and EPRT via IPv4 is safe for 4.0. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
Hi, >>> Sun, 06 Feb 2000 17:42:14 +0900 の刻に「shin」、すなわち >>> Yoshinobu Inoue <[EMAIL PROTECTED]> 氏曰く shin> Wmmm, I actually enabled it, but it is causing problems, so shin> should EPSV only allowed for IPv6 at least for several shin> starting 4.x releases? I'm sorry. My previous message confused you. shin> (About EPRT, initiating client retry PORT command next if EPRT shin> failes, so trying EPRT first will be OK.) No. In this senario, if server knows EPRT, EPRT request will be accepted, and will not fail. But, existing NAT box doesn't handle EPRT request. So, NAT box cannot treat data connetion as if it treat for PORT. Then, data connection request from server will not reach to client. shin> As RFC2428(FTP Extensions for IPv6 and NATs), EPSV can be used shin> for IPv4 and IPv6 and it has performance benefit for firewall shin> and NAT, because it doesn't include an IP address in its shin> command, so firewall and NAT doesn't need to translate them. No problem will occur with EPSV on even if IPv4. If server doesn't know EPRT, client will try PASV next. shin> And there is also a chicken and egg issue, because if usual shin> ftp clients don't try EPSV first, then usuall firewall and NAT shin> don't notice the necessity of supporting EPSV. I agree. I think EPSV is OK in any case. We should be careful to only EPRT on IPv4. Using EPRT on IPv4 is a chicken and egg issue. shin> But now passive is used by default, and not many firewall and shin> NAT support it yet, so many user will be upset that they can't shin> connect to some of ftp servers. It's firewall and NAT frendry. :-) shin> So if no other better suggestion, I think I'll get permission shin> to fix 4.0 ftp client to try EPSV only for IPv6. EPSV is NAT frendly. I think disabling EPRT on IPv4 is better for a while. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.imasy.org/~ume/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
> Since KAME version of ftp/ftpd was merged, ftp speaks EPSV/EPRT as > default not only IPv6 but also IPv4. Currently, existing natd is not > recognize EPRT. So, NAT user may be confuse. Please examine > bin/14305. Wmmm, I actually enabled it, but it is causing problems, so should EPSV only allowed for IPv6 at least for several starting 4.x releases? (About EPRT, initiating client retry PORT command next if EPRT failes, so trying EPRT first will be OK.) As RFC2428(FTP Extensions for IPv6 and NATs), EPSV can be used for IPv4 and IPv6 and it has performance benefit for firewall and NAT, because it doesn't include an IP address in its command, so firewall and NAT doesn't need to translate them. And there is also a chicken and egg issue, because if usual ftp clients don't try EPSV first, then usuall firewall and NAT don't notice the necessity of supporting EPSV. But now passive is used by default, and not many firewall and NAT support it yet, so many user will be upset that they can't connect to some of ftp servers. So if no other better suggestion, I think I'll get permission to fix 4.0 ftp client to try EPSV only for IPv6. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
On Sun, Feb 06, 2000 at 04:06:07AM +0800, Peter Wemm wrote: # Dmitry Valdov wrote: # > Why ftp passive mode is on by default? # > 229 Entering Extended Passive Mode (|||1049|) # > passive Toggle passive mode. If passive mode is turned on (default # > is off), # > Dmitry. # Try this: # [4:04am]~-112# env | grep FTP # FTP_PASSIVE_MODE=YES # [4:04am]~-113# grep FTP /etc/login.conf # :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ # ie: ftp(1)'s default is off, but the OS default configuration is to set it # to on. Why don't we have FETCH_CMD as something like "/usr/bin/fetch -A -p" by default, then? # # This is actually a good thing, for what it's worth. It means you have a # fighting chance of getting out through a firewall easily. # # Cheers, # -Peter # # # # To Unsubscribe: send mail to [EMAIL PROTECTED] # with "unsubscribe freebsd-current" in the body of the message -- -mishania To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
Hi, > On Sat, 5 Feb 2000 22:09:18 +0300 (MSK) > Dmitry Valdov <[EMAIL PROTECTED]> said: dv> 229 Entering Extended Passive Mode (|||1049|) Since KAME version of ftp/ftpd was merged, ftp speaks EPSV/EPRT as default not only IPv6 but also IPv4. Currently, existing natd is not recognize EPRT. So, NAT user may be confuse. Please examine bin/14305. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.imasy.org/~ume/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
Dmitry Valdov wrote: > Hello! > > Why ftp passive mode is on by default? > > > > ftp localhost > Connected to localhost. > 220 home.dv.ru FTP server (Version 6.00LS) ready. > Name (localhost:dv): > 331 Password required for dv. > Password: > 230 User dv logged in. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> get /bin/sh /tmp/qqq > local: /tmp/qqq remote: /bin/sh > 229 Entering Extended Passive Mode (|||1049|) > [...] > ftp> passive > Passive mode off. > ftp> > > > Manpage shows: > > passive Toggle passive mode. If passive mode is turned on (default > is off), > [...] > > Dmitry. Try this: [4:04am]~-112# env | grep FTP FTP_PASSIVE_MODE=YES [4:04am]~-113# grep FTP /etc/login.conf :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ ie: ftp(1)'s default is off, but the OS default configuration is to set it to on. This is actually a good thing, for what it's worth. It means you have a fighting chance of getting out through a firewall easily. Cheers, -Peter To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
On Sat, Feb 05, 2000 at 10:09:18PM +0300, Dmitry Valdov wrote: > Hello! > > Why ftp passive mode is on by default? Lots of firewall/router filters doesn't allow active ftp ... /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE# 5456 Work:Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek@ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
ftp passive modem is on by defaut?
Hello! Why ftp passive mode is on by default? > ftp localhost Connected to localhost. 220 home.dv.ru FTP server (Version 6.00LS) ready. Name (localhost:dv): 331 Password required for dv. Password: 230 User dv logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> get /bin/sh /tmp/qqq local: /tmp/qqq remote: /bin/sh 229 Entering Extended Passive Mode (|||1049|) [...] ftp> passive Passive mode off. ftp> Manpage shows: passive Toggle passive mode. If passive mode is turned on (default is off), [...] Dmitry. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message