If the FTP client is able to connect and issue commands but then doesn't get any response, then using a passive ftp client and server is the answer. FTP has always been a problem for firewalls and that's why passive mode clients were introduced. It's been a long time since I looked at this but, from memory, it's because the ftp server opens up a new tcp connection from itself to the client to transmit data be it a directory listing or a file transfer. It does something like use port 20 (or 21, can't remember) as the source port and the client's source port as the destination and firewalls won't let it through. Passive clients (and servers) use the existing tcp connection to send commands and data.
Hope this helps Cheers Greg > From: Martin Hill <[EMAIL PROTECTED]> > Date: Fri, 10 Jun 2005 10:54:18 +0800 > To: WAMUG Mailing List <[email protected]> > Subject: FTP through Tiger Server Firewall problem > > Anyone else struck the problem of trying to enable FTP traffic through the > Firewall in Mac OS X 10.4 Tiger Server? > > I've just installed Tiger Server on one of our G5 Xserves (Dual 2 GHz G5, > 1GB RAM 1.2TB HD) and as soon as I turn on the Firewall, FTP clients can't > connect and download files despite ticking the allow traffic for FTP Service > ports 20-21 check box. > > I came across this discussion at http://discussions.info.apple.com/: > >> The internal firewall settings have changed from 10.3 to 10.4. >> Here is the problem (from another thread): firewall (ipfw) is preventing ftp >> client from using a <server assigned port>. When ftp client on MacOSX >> connects >> to a server, a server assigns a local port number, which are in unprivileged >> IP range. The firewall on MacOS Tiger prevents the ftp client to connect back >> to the assigned port range. In another words, communication fails after >> initial handshake between ftp client and ftpd is complete (and this problem >> only occurs when ftp client is trying to connect a ftp server that uses >> IP_PORTRANGE feature. >> ============================================ >> The rule that was used in the 10.3 firewall was: >> ALLOW If protocol is TCP and source port is 20,21 and destination port is >> 1024-65535 and packet is incoming and packet is incoming. >> ============================================ >> The client computer will need to add this rule using a program like WEBMIN or >> BRICKHOUSE, or it will be necessary to turn off the firewall whenever FTP >> facility is desired. >> >> Unless there is a way of defeating the Host Portrange feature from the >> client. >> Kori > > So it looks like I'm not alone. > > I tried manually creating a new Advanced Rule to "ALLOW If protocol is TCP > and source port is 20,21 and destination port is 1024-65535" as mentioned > above but haven't had any success yet. > > Any suggestions? > > -Mart > > -------------------------------------- > Martin Hill > mailto:[EMAIL PROTECTED] > homepages: http://mart.ozmac.com > Mb: 0417-967-969 hm: (08)9314-5242 > > > > -- The WA Macintosh User Group Mailing List -- > Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> > Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> > Unsubscribe - <mailto:[EMAIL PROTECTED]> > > WAMUG is powered by Stalker CommuniGatePro >
