Ah yes. How many packets can we possibly stuff onto a thinwire network in the name of digital shoot-em-up? TCP/IP made it so that playing Doom across the network wasn't so obvious. No more 100% utilization. Also made it so that we in IT could hop into the games without mgmt coming around to find out why the heck the network wasn't responding :-) ----- Robert Bosch Corporation Technical Systems Analyst (RBNA/CSA1) Corporate Sales Reporting Systems 38000 Hills Tech Drive - Farmington Hills, MI 48331 - USA phone: 1 (248) 553-1164 fax: 1 (248) 848-6969 shawn.quillman@xxxxxxxxxxxx http://www.bosch.us <http://www.bosch.us/> _____ From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] Sent: Thursday, September 15, 2005 12:26 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Publishing FTP server http://www.ISAserver.org Haha great! Actually I believe that Doom was the #1 cause of network failings in the enterprise back then. You know, when stuff were speaking IPX/SPX and Vines instead of TCP/IP. And the FTP server that held the first Doom demo *did* melt. And for a funny story, people were already flooding the FTP server *before* they uploaded it, preventing id software from getting in and providing the file. Aaah, good times, good times. _____ De : Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Envoyé : 15 septembre 2005 12:07 À : [ISAserver.org Discussion List] Objet : [isalist] RE: Publishing FTP server http://www.ISAserver.org The Doom Demo part was great =) i'll start teaching FTP mentioning that if you don't mind! Tiago de Aviz SoftSell - Curitiba (41) 3340-2363 www.softsell.com.br Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem por engano, queira por favor retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável pelo conteúdo ou a veracidade desta informação. >>> gauthiera@xxxxxxxxxxxxxxxxx 15/9/2005 11:38 >>> http://www.ISAserver.org For the heck of it, could you try 1) Accessing the ftp server from the internet using PASV (passive) mode? (The basic built-in ftp client in windows is braindead, and does not support this. Try a GUI client; make sure it is in passive mode.) 2) Ensuring you have checked the "FTP Access Filter" on the FTP Server protocol of any Filtering Policy you might have in place ------- Some uncalled for explanations on the FTP protocol below. You shut up and read if you're interested :P ------------- FTP is a rather hard to work with protocol, I'll give you some explanations - although you probably already know this ;) First, two connections are used, basically - port 20 and port 21. Port 21 is the control session, which is what you use to login and issue commands. 20 is used as the data port, which is any file transfer, or file listings. Apparently, you can talk on port 21 without problems, but fail to establish a data connection on port 20. In default PORT mode, you (the client) are in fact acting as the server, from a TCP point of view at least. You connect to the FTP server on port 21, authenticate, then request a directory listing. *The Server* will then open a connection to *the client machine* on port 20 to send files. That was done as a design decision because back then, putting the TCP/IP connection load on the client rather than the server would prevent the server from melting when, say, id software released their doom demo. (Which happened anyways. But you know the drill.) This doesn't work very well with NATs (which were probably inexistent at the time) - so there are two things which were brought up for this very purpose. PASV mode restores the behaviour you'd expect from a client/server TCP connection and the client is asked to connect to the server on port 20 when a directory listing is issued. While this will work great when the user is behind a NAT, and fix all issues of the NAT not opening port 20 because it sees no reason to, it will sometimes be problematic in a situation where you have: Client Computer ------- NAT ------ [The internet] -------- NAT --------- FTP Server The client computer cannot use PORT for it is behind a NAT. So PASV must be used. However the FTP server will acknowledge the request for passive connections, and return its IP address to the client for it to connect to. However, in the case of many FTP servers, the server will return its *private RFC address* (i.e. 172.16.12.8 - substitute for your favorite private subnet) which the client computer obviously cannot connect to. Any firewall/gateway/proxy worth its salt will handle this by farting around with the FTP datagrams (both hands deep in Layer 3, beyotch!) and substitute the address, or use other arcane magic to make it work. ISA has this, and it is that very "FTP Access Filter" option, apparently. Cisco PIXes possess the "fixup protocol ftp 21" configuration line, which works like ass right now, at least in my home setup (it works if the client is behind a NAT and fails if the client is directly on the internet. Search me.) As Jim suggested, running some kind of packet dump will tell you the answer quite clearly. But your client hanging on "ls" is proof that something is up with the data connection. Hope this helps, -- Alexandre Gauthier Analyste Réseau / Network Analyst gauthiera@xxxxxxxxxxxxxxxxx Québec Loisirs - www.quebecloisirs.com <http://www.quebecloisirs.com/> ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gauthiera@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx